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Description 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

[0001 J The present invention relates to a scheme for fast realization of encryption, decryption and authentication which 
is suitable for data concealment and communicating individual authentication in communications for a digital TV, a pay- 
per-view system of the satellite broadcast, a key distribution in the information distribution, electronic mails, electronic 
transactions, etc. 

DESCRIPTION OF THE BACKGROUND ART 

[0002] In recent years, in the field of communications, various types of cryptographic techniques have been proposed 
because the cryptographic technique can be effectively used for the protection of secrecy between communicating 
parties such as the concealment of information to be transmitted. The performances of such a cryptographic technique 
can be evaluated in terms of the security level of cryptosystem and the speed of encryption/decryption. Namely, the 
cryptosystem for which the security level is high and the encryption/decryption speed is high is a superior cryptosystem. 
[0003] Among such cryptographic techniques, there is a type of public key cryptosystem that uses the modular exponent 
calculations, known as RSA (Rivest Shamir Adleman) cryptosystem, which is already in practical use. In this RSA 
cryptosystem, it has been shown that the plaintext can be obtained from the ciphertext if the prime factoring of the public 
key can be made (see R. Rivest, A. Shamir and L. Adleman; "A method for obtaining digital signatures and public-key 
cryptosystems", Comm. ACM, Vol. 21, No. 2, pp. 120-126 (1978)). 

[0004] The public key cryptosystem such as RSA cryptosystem has its security based on the computational difficulty 
for obtaining the private key from the public key which is a publicly disclosed information, so that the security level can 
be increased as much when a size of the public key is increased. On the other hand, the RSA cryptosystem has been 
associated with a drawback that it requires a considerable amount of time for encryption/decryption because it carries 
out higher degree modular exponent calculations and therefore the required amount of calculations is large. 
[0005] The encryption/decryption can be made faster by reducing the degree of the modular exponent calculations, 
for example, but that will require the reduction of the size of the public key and that in turn causes the lowering of the 
cryptosystem security. 

[0006] In the following, the RSA cryptosystem will be described in further detail. 

[0007] First, mutually different arbitrary prime numbers p and q are set as the first private key, and the first public key 
n is obtained as: 



n * pq 

while the least common multiple L of (p-1) and (q-1) is obtained as: 



L = 1cm (p-1, q-1) . 
[0008] Then, an arbitrary integer e is set as the second public key, and the second private key d given by: 



ed s 1 (mod L) 

is obtained using the Euclidean division algorithm. 

[0009] Then, a plaintext M and its ciphertext C can be expressed as follow: 



C s M e (mod n) , 
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M 2 C d (mod n). 



[0010] Here, the value of the second public key e can be rather small like 13, for instance, so that the encryption 
processing can be made very fast, but the value of the second private key d has a size nearly equal to n so that the 
decryption processing will be quite slow. 

[001 1 ] On the other hand, the processing amount of the modular exponent calculations is proportional to the cube of 
the size of a number, so that by utilizing this property, the Chinese remainder theorem can be used in order to make the 
decryption processing faster. 

[0012] The decryption processing using the Chinese remainder theorem proceeds as follows. 



dp s d (mod p-1) , 



dq s d (mod q-1). 



uq b i (mod p) . 



M P 3 C d » (mod p) , 



Mo b c d 9 (mod q) , 



M b ((Mp - M, )u (mod p))q + M Q , 



where u is an inverse of q modulo p. 

[0013] Here, the size of each of p, q, d p and d q is a half of the size of n so that the modular exponent calculations 
module p or q can be processed eight times faster, and as a result, the decryption processing as a whole can be made 
four times faster. 

[0014] Also, the RSA cryptosystem can be easily cryptoanalyzed if the prime factoring of n can be made. Currently, 
the potentially threatening prime factoring algorithms include the number field sieve method and the elliptic curve method. 
[0015] The required amount of calculations is of a quasi-exponential order of the size of n in the number field sieve 
method and of a quasi-exponential order of the size of a prime number in the elliptic curve method. The elliptic curve 
method is practically not a problem because of its high order calculations and large coefficients. On the other hand, the 
number field sieve method has a record for the prime factoring of the largest number realized so far, which is about 140 
figures in decimal. Consequently, attacks using these methods are not threatening in practice if n is 1024 bits or so. 
[0016] In addition, there are cases where a public key cryptosystem apparatus can be used as an authentication 
apparatus by reversing the public key and secret key calculations in general. 

[0017] WO 90/02456 discloses a method whereby individual members of a group of members or entities may be 
provided, under the control of a trusted member, referred to as the parent, with respective individual secret keys for use 
i n public key cryptography, such that the matching public key can be readily derived, and group membership authenti- 
cated. The parent initially establishes a public key (e, N) where N = P.Q is the product of two primes. In response to a 
request from a group member, and the parent selects two further primes R, S and communicates two values dependent 
thereon to the requesting member, which selects two more primes T and U for use in conjunction with the received 
values to establish the member's secret key. 
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SUMMARY OF THE INVENTION 

[0018] It Is therefore an object of the present invention to provide a new scheme for encryption, decryption and 
authentication which is capable of overcoming the problems associated with the conventionally known RSA cryptosystem 
as described above. 

[001 9] More specifically, objects of the present invention are: 

(1) to realize an encryption/decryption scheme which has the same security level compared with the known RSA 
cryptosystem on rational integer ring, 

(2) to realize an encryption/decryption scheme for which the encryption/decryption processing is faster than the 
conventional RSA cryptosystem; 

(3) to realize an encryption/decryption scheme which can also be utilized as an authentication scheme such that a 
single apparatus can be used for both the cipher communications and the authentication, and 

(4) to realize an authentication scheme for which the authenticator generation and the verification are faster than 
the known authentication scheme based on the conventional RSA cryptosystem. 

[0020] According to the present invention there is provided a decryption method according to the appended claim 1 , 
an authentication method according to the appended claim 5, a decryption apparatus according to the appended claim 
9, a cipher communication system according to the appended claim 10, an authentication message sender apparatus 
according to the appended claim 1 1 , an authentication system according to the appended claim 1 2, and computer usable 
media according to the appended claims 1 3 and 1 4. Preferred embodiments of the invention are defined in the dependent 
claims. 

[0021] Other features and advantages of the present invention will become apparent from the following description 
taken in conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0022] 

Fig. 1 is a block diagram of a cipher communication system according to one embodiment of the present invention. 
Fig. 2 is a flow chart for an encryption processing of an encryption apparatus in the cipher communication system 
of Fig. 1. 

Fig. 3 is a flow chart for a decryption processing of a decryption apparatus in the cipher communication system of 
Fig. 1. 

Fig. 4 is a block diagram of an authentication system according to one embodiment of the present invention. 
Fig. 5 is a flow chart for an authentication processing in the authentication system of Fig. 4. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

[0023] There may be provided an encryption method, comprising the steps of: setting N (> 2) prime numbers p v p 2 , 

, P N as a first private key, and a product p^pj* »•■ p N kN as a first public key n, where k1, k2, kN are arbitrary 

positive integers; determining a second public key e and a second private key d which satisfy: 

ed b i (mod L) 

where L is a least common multiple of p r l , p 2 -1, , p N -1, using the first secret key; and obtaining a ciphertext C from 

a plaintext M according to: 



C 2 M e (mod n) 

using the first public key n and the second public key e. 

[0024] According to another aspect there is provided a decryption method for decrypting a ciphertext C obtained from 
a plaintext M according to: 
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C 2 m« (mod n) 

using a first private key given by N (> 2) prime numbers p v p 2 , , p N , a first public key n given by a product p/ 1 ^ 

PN kN where k "l» k2. kN are arbitrary positive integers, a second public key e and a second private key d 

which satisfy: 

ed s 1 (mod L) 

where L is a least common multiple of p r 1 , p 2 -1, , p N -1 , the method comprising the steps of: obtaining residues 

M P 1 ki » M P 2k2» » M pNkN modulo p1 k1 , p2 k2 , , p N kN , respectively, of the plaintext M using a prescribed loop calculation 

with respect to the first private key p v p 2 , , p N ; and recovering the plaintext M by applying Chinese remainder 

theorem to the residues Mp 1k1 , M p2k2 , , M pNkN . 

[0025] According to another aspect there may be provided an authentication method for authenticating an authenti- 
cation message sent from a sender to a receiver, comprising the steps of: (a) setting at the sender side a first private 

key given by N (> 2) prime numbers p v p 2 , , p N , a first public key n given by a product p^ 1 p 2 k2 p N KN where 

k1 , k2, kN are arbitrary positive integers, a second public key e and a second private key d which satisfy: 



ed s 1 (mod L) 

where L is a least common multiple of p 1 -1, p 2 -1, , p N -l; (b) obtaining at the sender side an authenticator h(M) 

by hashing the authentication message M using a hash function h; (c) obtaining at the sender side an encrypted au- 
thenticator h(C) of the authenticator h(M) according to: 



h(M) 2 h(C)« (mod n) 

by obtaining residues h(C) plkl , h(C) p2k2 , , h(C) pNkN modulo p/ 1 , p 2 k2 , , p N *N respectively, of the encrypted 

authenticator h(C) using a prescribed loop calculation with respect to the first secret key p 1 , p 2 , , p N> and applying 

Chinese remainder theorem to the residues h(C) p1k1 , h(C) p2k2 , , h(C) pNkN ; (d) sending the encrypted authenticator 

h(C) and the authentication message M from the sender to the receiver; (e) obtaining at the receiver side a first authen- 
ticator h(M) 1 by calculating h(C)° (mod n) from the encrypted authenticator h(C) received from the sender using the 
second public key e; (f) obtaining at the receiver side a second authenticator h(M) 2 by hashing the authentication message 
M received from the sender using the hash function h; and (g) judging an authenticity of the authentication message M 
at the receiver side by checking whether the first authenticator h(M) 1 and the second authenticator h(M) 2 coincide or not. 
[0026] According to another aspect there may be provided an encryption apparatus, comprising: an encryption/de- 
cryption key generation processing unit for setting N (> 2) prime numbers p v p 2 , , p N as a first private key, and a 

product p/^* 2 p N KN as a first public key n, where k1 , k2, , kN are arbitrary positive integers, and determining 

a second public key e and a second private key d which satisfy: 



ed a 1 (mod L) 

where L is a least common multiple of p., -1 , p 2 -1 , , p N -l , using the first private key; and an encryption processing 

unit for obtaining a ciphertext C from a plaintext M according to: 



C 5 M° (mod n) 

using the first public key n and the second public key e. 
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[0027] According to another aspect of the present invention there is provided a decryption apparatus for decrypting 
a ciphertext C obtained from a plaintext M according to: 



C s m° (mod n) 



using a first private key given by N (> 2) prime numbers p v p 2 , , p N , a first public key n given by a product p 1 k1 p 2 k2 

Pm^ where k1, k2, , kN are arbitrary positive integers, a second public key e and a second private key d 

which satisfy: 



ed s i (mod L) 

where L is a least common multiple of p.,-1, p 2 -1, , p N -1, the apparatus comprising: a calculation processing unit 

for obtaining residues M p1k1 , M p2k2 , , M pNkN modulo p/ 1 , p 2 &, , p N «<N > respectively, of the plaintext M using 

a prescribed loop calculation with respect to the first private key p 1( p 2 , , p N ; and a decryption processing unit for 

recovering the plaintext M by applying Chinese remainder theorem to the residues M p1k1 , M p2k2 , , M pNkN . 

[0028] According to another aspect there may be provided a cipher communication system, comprising: a sender 
apparatus having: an encryption/decryption key generation processing unit for setting N (> 2) prime numbers p v p 2 , 

, P N as a fir st private key, and a product p 1 k1 p 2 k2 p N kN as a first public key n, where k1, k2, , kN are 

arbitrary positive integers, and determining a second public key e and a second private key d which satisfy: 



ed h 1 (mod L) 

where L is a least common multiple of p r 1 , p 2 -1 , , p N -1 , using the first private key; and an encryption processing 

unit for obtaining a ciphertext C from a plaintext M according to: 



C s M e (mod n) 



using the first public key n and the second public key e; and a receiver apparatus having: a calculation processing unit 

for obtaining residues M p1k1 , M p2k2 , , M pNkN modulo p/ 1 , p 2 k2 , , p N kN , respectively, of the plaintext M using 

a prescribed loop calculation with respect to the first private key p^ p 2 , , p N ; and a decryption processing unit for 

recovering the plaintext M by applying Chinese remainder theorem to the residues M p1k1 , M p2k2 , , M pNkM . 

[0029] According to another aspect there may be provided an authentication message sender apparatus for use in 
authenticating an authentication message sent from a sender to a receiver, the apparatus comprising: an encryption/ 
decryption key generation processing unit for setting at the sender side a first private key given by N (> 2) prime numbers 

Pi, P2 Pn. a flrst P ub,ic ke y n 9'ven by a product P^ k \ 2 U2 PN kN wnere k1 . ^ kN are arbitrary positive 

integers, a second public key e and a second private key d which satisfy: 



ed 5 1 (mod L) 

where L is a least common multiple of p t -1 , p 2 -1, , p N -1; an authentication message hashing processing unit for 

obtaining at the sender side an authenticator h(M) by hashing the authentication message M using a hash function h; 
and an authenticator encryption processing unit for obtaining at the sender side an encrypted authenticator h(C) of the 
authenticator h(M) according to: 



h(M) £ h(C)« (mod n) 
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by obtaining residues h(C) p1kl , hfC)^, , h(C) pNkN modulo p/ 1 , p 2 V2 i , p^, respectively, of the encrypted 

authenticator h(C) using a prescribed loop calculation with respect to the first private key p 1t p 2 , , Pn> and applying 

Chinese remainder theorem to the residues h(C) p1k1 , h(C) p2k2 , , h(C) pNkN> and then sending the encrypted authen- 
ticator h(C) and the authentication message M to the receiver. 
5 [0030] According to another aspect of the present invention there is provided an authentication message receiver 
apparatus for use in authenticating an authentication message sent from a sender to a receiver, using a first private key 

given by N (> 2) prime numbers p 1( p 2 , , p N , a first public key n given by a product p/ 1 p 2 k2 - p N kn where k1 , k2, 

, kN are arbitrary positive integers, a second public key e and a second private key d which satisfy: 

10 

ed s i. (mod L) 

where L is a least common multiple of p 1 -1 , p 2 -1, , p N -1, the apparatus comprising: an authenticator decryption 

15 processing unit for obtaining a first authenticator h(M) 1 by calculating h(C) e (mod n) from an encrypted authenticator h 
(C) received from the sender using the second public key e; an authentication message hashing processing unit for 
obtaining a second authenticator h(M) 2 by hashing an authentication message M received from the sender using a hash 
function h; and an authenticity verification processing unit forjudging an authenticity of the authentication message M 
at the receiver side by checking whetherthe first authenticator hfM^ and the second authenticator h(M) 2 coincide or not. 
20 [0031] According to another aspectthere maybe provided an authentication system for authenticating an authentication 
message sent from a sender to a receiver, the system comprising: a sender apparatus having: an encryption/decryption 
key generation processing unit for setting at the sender side a first private key given by N (> 2) prime numbers p v p 2 , 

, p N , a first public key n given by a product p, k1 p 2 vz P N kN where k1 , k2, , kN are arbitrary positive integers, 

a second public key e and a second private key d which satisfy: 

25 

ed s 1 (mod L) 



30 where L is a least common multiple of p^ -1 , p 2 -1, , p N -1 ; an authentication message hashing processing unit for 

obtaining at the sender side an authenticator h(M) by hashing the authentication message M using a hash function h; 
and an authenticator encryption processing unit for obtaining at the sender side an encrypted authenticator h(C) of the 
authenticator h(M) according to: 

35 

h(M) s h(C)« (mod n) 

by obtaining residues h(C) p1k1 , h(C) p2k2 , , h(C) pNkN modulo p/ 1 , p 2 k2 , , p N kN , respectively, of the encrypted 

40 authenticator h(C) using a prescribed loop calculation with respect to the first private key p., , p 2 , , p N , and applying 

Chinese remainder theorem to the residues h(C) p1 k1 , h(C) p2k2 , , h(C) pNKN , and then sending the encrypted authen- 
ticator h(C) and the authentication message M to the receiver; and a receiver apparatus having: an authenticator de- 
cryption processing unit for obtaining a first authenticator h(M) 1 by calculating h(C) e (mod n) from the encrypted authen- 
ticator h(C) received from the sender using the second public key e; an authentication message hashing processing unit 
^5 for obtaining a second authenticator h(M) 2 by hashing the authentication message M received from the sender using 
the hash function h; and an authenticity verification processing unit for judging an authenticity of the authentication 
message M by checking whether the first authenticator htM^ and the second authenticator h(M) 2 coincide or not 
[0032] According to another aspect there may be provided a computer usable medium having computer readable 
program code means embodied therein for causing a computer to function as an encryption apparatus, the computer 
so readable program code means includes: first computer readable program code means for causing said computer to set 

N (> 2) prime numbers p, , p 2 , , p N as a first private key, and a product p/ 1 p 2 k2 p H m as a first public key n, 

where k1 , k2, , kN are arbitrary positive integers, and determining a second public key e and a second private key 

d which satisfy: 

55 

ed 3 i (mod L) 
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where Lisa least common multiple of p 1 -1 , p 2 -1 , , P N -1 , using the first private key; and second computer readable 

program code means for causing said computer to obtain a ciphertext C from a plaintext M according to: 

5 C s M c (mod n) 



using the first public key n and the second public key e. 

[0033] According to another aspect of the present invention there is provided a computer usable medium having 
io computer readable program code means embodied therein for causing a computer to function as a decryption apparatus 
for decrypting a ciphertext C obtained from a plaintext M according to: 



C s M* (mod n) 

15 

using a first private key given by N (> 2) prime numbers p 1t p 2 , , p N , a first public key n given by a product p^ 1 pj 2 

p^ where k1, k2, , kN are arbitrary positive integers, a second public key e and a second private key d 

which satisfy: 

20 

cd a 1 (mod L) 

25 where L is a least common multiple of p, -1 , p 2 -1, , p N . v the computer readable program code means includes: 

first computer readable program code means for causing said computer to obtain residues M p1k1 , M p2k2 , M pNkN 

modulo p^ 1 , p 2 k2 , , p N kN , respectively, of the plaintext M using a prescribed loop calculation with respect to the 

first private key p v p 2 , , p N ; and second computer readable program code means for causing said computer to 

recover the plaintext M by applying Chinese remainder theorem to the residues M p1k1 , M p2k2 , , M pNkN . 

30 [0034] According to another aspect there may be provided a computer usable medium having computer readable 
program code means embodied therein for causing a computer to function as an authentication message sender appa- 
ratus for use in authenticating an authentication message sent from a sender to a receiver, the computer readable 
program code means includes: first computer readable program code means for causing said computer to set at the 
sender side a first private key given by N (> 2) prime numbers p^ p 2 , , p Nt a first public key n given by a product 

35 p/1 p 2 k2 p N kN where k1, k2, , kN are arbitrary positive integers, a second public key e and a second private 

key d which satisfy: 

ed 5 i (mod L) 

40 

where L is a least common multiple of p r 1, p 2 -1, , p N -1; second computer readable program code means for 

causing said computer to obtain at the sender side an authenticator h(M) by hashing the authentication message M 
using a hash function h; and third computer readable program code means for causing said computer to obtain at the 
45 sender side an encrypted authenticator h(C) of the authenticator h(M) according to: 



h(M) s h(C) e (mod n) 

50 

by obtaining residues h(C) p1k1 , h(C) p2k2 , , h(C) pNkN modulo P/ 1 ' p 2 k2 t , p N kN , respectively, of the encrypted 

authenticator h(C) using a prescribed loop calculation with respect to the first private key p lt p 2 , , p N , and applying 

Chinese remainder theorem to the residues h(C) p1k1 , h(C) p2k2 , , h(C) pNkN , and then sending the encrypted authen- 
ticator h(C) and the authentication message M to the receiver. 
55 [0035] According to another aspect there may be provided a computer usable medium having computer readable 
program code means embodied therein for causing a computer to function as an authentication message receiver 
apparatus for use in authenticating an authentication message sent from a sender to a receiver, using a first private key 
given by N (> 2) prime numbers p v p 2 , , p N , a first public key n given by a product p/ 1 p 2 k2 p N kN where k1, 
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k2, , kN are arbitrary positive integers, a second public key e and a second private key d which satisfy: 



ed si (mod L) 

where L is a least common multiple of p 1 -1 , p 2 -1 , , p N -1 , the computer readable program code means includes: 

first computer readable program code means for causing said computerto obtain a first authenticator h(M) 1 by calculating 
h(C) e (mod n) from an encrypted authenticator h(C) received from the sender using the second public key e; second 
computer readable program code means for causing said computer to obtain a second authenticator h(M) 2 by hashing 
an authentication message M received from the sender using a hash function h; and third computer readable program 
code means for causing said computer to judge an authenticity of the authentication message M at the receiver side by 
checking whether the first authenticator and the second authenticator h(M) 2 coincide or not. 
[0036] Referring now to Rg. 1 to Fig. 4, one embodiment of the scheme for encryption, decryption and authentication 
according to the present invention will be described in detail. 

[0037] Note that the encryption/decryption scheme of the present invention is realizable using n = p^ 1 p 2 & p N kN 

in general, as will be described below, but the more practical exemplary case of using n = p/ 1 p 2 will be described first. 

In the following, an expression "p k q" corresponds to a special case of the general expression p., k1 p^* 2 p^ (where 

Pi. P2 » Pn are N £ 2 ) P rime numbers) with N = 2, p 1 = p, p 2 = q, k1 = k and k2 = 1 . 

[0038] Fig. 1 shows an overall configuration of a cipher communication system according to one embodiment of the 
present invention. 

[0039] The cipher communication system of Fig. 1 generally comprises an encryption apparatus 1 0 and a decryption 
apparatus 19 which are connected through a communication path 14. The encryption apparatus 10 has an encryption 
processing unit 13 for obtaining a ciphertext C from a plaintext M given as its input, and transmitting the obtained 
ciphertext C to the decryption apparatus 19 through the communication path 14. The decryption apparatus 19 has a 
decryption processing unit 1 5 for recovering the plaintext M from the ciphertext C transmitted by the encryption processing 
unit 1 3, and outputting the obtained plaintext M as its output. This decryption processing unit 1 5 includes a loop calculation 
processing unit 17. 

[0040] In addition, the encryption apparatus 1 0 also has an encryption/decryption key generation processing unit 1 1 
connected with both the encryption processing unit 1 3 and the decryption processing unit 1 5, for supplying the first public 
key n and the second public key e to the encryption processing unit 1 3 while supplying the firstprivatekey p. q, the second 
private key d, an arbitrary positive integer k, the first public key n and the second public key e to the decryption processing 
unit 15. 

[0041] Next, the operation of the encryption apparatus 1 0 will be described in detail with reference to Fig. 2. 
[0042] First, the encryption/decryption keys are generated at the encryption/decryption key generation processing unit 
11 as follows (step S101). 

[0043] Here, the first private key is to be given by two rational prime numbers p and q, and the first public key is to be 
given by their product, i.e., n = pkq. Also, using the function Icm for obtaining the least common multiple, L given by: 



L = 1cm (p-1, q-D 

is obtained from the first private key p and q. 
[0044] Next, e and d that satisfies: 



ed s i (mod L) 



are obtained. Then, the residues d p and d q of the obtained d modulo (p-1) and (q-1) respectively are obtained as: 



dp : = d (mod p-1) , 
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do : = d (mod q-1) , 

where a symbol ":=" denotes the operation to calculate the right hand side and substitute it into the left hand side, and 
a set of three numbers d, dp and dq is set as the second private key, while e is set as the second public key. In this way, 
the first public key n, the second public key e, the first private key p, q, and the second private key d, d p and d q are set up. 
[0045] Then, the ciphertext C is obtained at the encryption processing unit 13 as follows (step S1 02). 
[0046] The encryption processing unit 1 3 encrypts the plaintext M by using the first public key n and the second public 
key e, according to the formula: 



C s M e (mod n) 

and transmits the obtained ciphertext C to the receiving side. 

[0047] Next, the operation of the decryption apparatus 1 9 will be described in detail with reference to Fig. 3. 
[0048] The decryption processing unit 15 obtains the plaintext M as an output from the ciphertext C entered from the 
encryption processing unit 13 through the communication path, the first private key p, q, the second private key d, the 
second public key e and the arbitrary positive integer k which are entered from the encryption/decryption key generation 
processing unit 1 1 , by carrying out the following substitution calculation processing, where a symbol ■;=■ denotes the 
operation to calculate the right hand side and substitute it into the left hand side. 

[0049] (Step S201) The values d p and d q of the second secret key d modulo p-1 and q-1 respectively are obtained as 
follows. 



do := d (mod p-1) > 



do d (mod q-1) . 

Note that there is no need to calculate these d (mod p-1 ) and d (mod q-1 ) at every occasion of the encryption/decryption 
and it suffices to produce them once in advance as the private key. In such a case, d will be necessary only at the 
intermediate stage for producing these d (mod p-1) and d (mod q-1). 

[0050] (Step S202) The residues M q of the plaintext M modulo p and q respectively are obtained from the ciphertext 
C as follows. 



Ko := C d p (mod p) , 



Mo ; B c* 0 (mod q) . 

[0051] (Step S203) The residue M pk of the plaintext M modulo p k is obtained by carrying out the following loop calculation 
according to the fast decryption algorithm disclosed in T. Takagi, "Fast RSA-type cryptosystem using n-adic expansion", 
Advances in Cryptology - CRYPTO'97, LNCS 1294, pp. 372-384 and in U.S. Patent Application Serial No. 08/907,852 
of the present inventors, at the loop calculation processing unit 17. 



Ao : o Ko ; 

FORi = 1 to(k-1)do 
begin 
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F; := (Ai - i e ) (mod p 1 * 1 ) ; 
Ei := (C - F; ) (mod p* * 1 ) ; 
Bi :=* E; /p ; in Z; 
K; := ((eFi )~ * A; - 1 Bi ) (mod p): 
Ai := Ai - 1 ♦ p 1 Ki in Z; 



end 

20 M» k : 8 Ak - i • 

[0052] (Step S204) The residue of the plaintext M with respect to a composite number n is obtained by applying the 
Chinese remainder theorem to the residues M pk and M q , so as to complete the decryption. 
25 [0053] More specifically, the Chinese remainder theorem can be applied by the following calculation. 

qi : » q- 1 (mod p fc ) ; 
30 vi := ((Mpk - Mq )qi ) (mod p k ) ; 

M := (Mq ♦ qvj ) . 

35 

[0054] Alternatively, the Chinese remainder theorem can also be applied by the following calculation. 
40 P» (P k )'* (mod q) ; 

vi := ((Ma -M P k)pi) (mod q) ; 

45 

M := (Mpk ♦ p k vi ) , 
[0055] Alternatively, the Chinese remainder theorem can also be applied by the following calculation. 

50 

pi :- (p*)" 1 (mod q); 
55 q» :* Q~ 1 (mod p k ) ; 
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M := (qiqMpk ♦ piP k M») (mod p k q). 

5 [0056] Next, the functions of the respective processing units in the cipher communication system of Fig. 1 will be 
described along their processing procedure. 

[0057] First, as the first stage, at the encryption/decryption key generation processing unit 1 1 , two prime numbers p 
and q to be the first private key are generated, and the product n = p k q of these two prime numbers p and q is obtained 
as the first public key. Here, k is an arbitrary integer to be selected by accounting for the security level and the processing 
10 speed. Also, as can be seen from the formula n = p k q forthe first public key n, the sizes of p and q can be made smaller 
when k is larger for a constant size (the number of digits, for example) of n, and the prime factoring becomes as much 
easier (that is, it becomes easier to learn the values of p and q) so that the security level of this cryptosystem becomes 
lower. 

[0058] Next, the least common multiple L is calculated from these two prime numbers p and q, and the second pubic 
15 key e and the second private key d are generated according to ed 1 (mod L). This calculation of the least common 
multiple L can be done by first obtaining the greatest common divisor using the extended Euclidean division algorithm 
and then multiplying the remaining factors to obtain the least common multiple. 

[0059] Note that the pair of e and d at this point is uniquely determined from ed = 1 (mod L). Although it can be any 
pair that satisfies this condition in principle, usually the second public key e is set to be a smaller value in order to make 
20 the encryption faster. For this reason, the second private key d becomes a considerably large number so that the 
decryption processing becomes slow when the conventional scheme is adopted. Note that the second public key e and 
the second private key d are in relationship of inverse numbers modulo L, so that the second private key d can be 
obtained if the second public key e and the least common multiple L are known. 

[0060] Next, as the second stage, at the encryption processing unit 1 3, the encryption is carried out according to the 
25 formula: 



C a M e (mod n) 

30 

using the second public key e of the receiving side, and the ciphertext C is transmitted to the receiving side. 
[0061] Then, as the third stage, at the decryption processing unit 15, M pk M (mod p k ) and M q = C d£ i (mod q) are 
obtained using the aforementioned fast decryption algorithm, and the Chinese remainder theorem is applied to these 
two numbers. According to the Chinese remainder theorem, when the residues of an unknown number for plural moduli 
35 are known, the unknown number (solution) modulo a product of these plural moduli can be obtained uniquely so that M 
can be recovered. 

[0062] Now, concrete examples of the encryption according to this embodiment will be described. 
[0063] First, the exemplary case of k = 2 can be summarized as follows. 

*o Public key e = 5 

Public key n = 40270132689707 

Private key d = 234982541 

Private key p = 34273 

Private key q = 34283 
45 Plaintext M = 1234567890 

Ciphertext C= 10229049760163 

A €) = K 0 = 20157 

M e = 2777 

Kt = 1748 
50 M p = /\g + pK 1 = 59929361 

Plaintext M = 1234567890 

[0064] In this case, the value of each one of the first private key p and q is about n 1/ ( k+1 ), and the least common 
multiple L is about n 27 ^ 2 ) which is smaller than the RSA cryptosystem so that it can contribute to the realization of the 
55 faster encryption/decryption. 

[0065] More specifically, the calculation time for C d mod n is 0((log n) 2 (log d)) while the calculation time for C d mod p 
and C d mod q is 0(1/3 log n) 2 (2/3 log n). Thus the overall processing time is 0.1 48 times that of the RSA cryptosystem, 
and it is a little over three times faster than the Quisquater-Couvreur scheme that utilizes the Chinese remaindertheorem 
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(which has the calculation time of 0(1/2 log n) 2 (1 log n)). 

[0066] Next, the exemplary case of k = 3 can be summarized as follows. 

Public key e = 5 

Public key n = 627252701350243 

Private key d = 7515005 

Private key p = 5003 

Private key q = 5009 

Plaintext M = 123456789012345 

Ciphertext C = 287551735059915 

A^ = K 0p = 1732 

M q = 3412 

K 1p = 4821 

A 1 =24121195 

Kgp = 4395 

M p 2 = A 2 = A 1 + p 2 K 2 = 11003101 0750 
Plaintext M = 123456789012345 

[0067] It should be apparent that the encryption/decryption scheme described above is also applicable to the case of 
using three prime numbers p 1 = p, p 2 = q and p 3 = r as the first private key and a product p k q € r™ where k = k1 , t = k2 
and m = k3 as the first public key n. 

[0068] In this case, the decryption can be realized by first obtaining K^p, Kq and r modulo p, q and r, respectively, 
by integer modular exponent calculations of: 



K8» :° C d 0 (mod p) ; 



Ko q := C d « (mod q) ; 



Ka.' := C d r (mad F>f 



where: 



dp : = d (mod p-1) ; 



dq : = d (mod q-1 ) ; 



dr := d (mod r-1 ) ; 



next obtaining the residues M pk , and M rrn modulo p k , q* and r™, respectively, by applying the loop calculation to 
KqP, Ktf* and K^ r , respectively, and then applying the Chinese remainder theorem to the residues M pk , M q€ and M^. 
[0069] It should also be apparent that the encryption/decryption scheme described above can be generalized to the 
case of using N (> 2) prime numbers p v p 2 , , p N as a first private key, and a product p^ 1 p 2 k2 p N kN as a first 
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public key n, where k1, k2, , kN are arbitrary positive integers, a second public key e and a second private key d 

which satisfy: 

5 ed a 1 (mod L) 

where L is a least common multiple of p., -1 , p 2 -1, , P N -1. 

[0070] In this general case, a ciphertext C can be obtained from a plaintext M according to: 

10 

C 5 m° (mod n) 

using the first public key n and the second public key e defined above. 

15 [0071] Also in this case, the decryption can be realized by first obtaining residues M p1k1 , M p2k2> , M pNkN modulo 

Pl ki f p 2 k2 > p N kN respectively, of the plaintext M using the loop calculation of the aforementioned fast decryption 

algorithm with respect to the first private key p 1t Pg, , p N , and then applying the Chinese remainder theorem to the 

residues M plk1 M p2k2 , , M pNkN . 

[0072] Next, Fig. 4 shows an overall configuration of an authentication system according to one embodiment of the 
20 present invention. 

[0073] The authentication system of Fig. 4 generally comprises a sender apparatus 20 and a receiver apparatus 33 
which are connected through a communication path 26. The sender apparatus 20 has an authentication message hashing 
processing unit 23 for outputting an authenticator h(M) by applying a hashing processing on an input authentication 
message (plaintext) M, and an authenticator encryption processing unit 25 for encrypting the authenticator h(M) outputted 
25 from the authentication message hashing processing unit 23 and transmitting the obtained encrypted authenticator h 
(C) through a communication path 26. 

[0074] The receiver apparatus 33 has an authenticator decryption processing unit 27 for obtaining a first authenticator 
\\(U)^ from the encrypted authenticator h(C) and an authentication message hashing processing unit 29 for obtaining a 
second authenticator h(M) 2 from the authentication message M, both of which are connected to the authentication 
30 encryption processing unit 25 through the communication path 26, and an authenticity verification processing unit 31 
for verifying an authenticity of the authentication message M, which is connected with the authenticator decryption 
processing unit 27 and the authentication message hashing processing unit 29. 

[0075] In addition, the sender apparatus 20 also has an authentication encryption/decryption key generation processing 
unit 21 for outputting authentication encryption/decryption keys to the authenticator encryption processing unit 25 and 
35 the authenticator decryption processing unit 27 respectively. 

[0076] This authentication system of Fig. 4 realizes the authentication scheme in which a person who wishes to have 
the own authentication message authenticated will send to the receiving side an authenticator generated by encrypting 
the authentication message by using the own private key. 

[0077] Now, the operations of the respective processing units in the authentication system of Fig. 4 will be described 

40 along their processing procedure with reference to Fig. 5. 

[0078] First, as the first stage (step S301 ), at the authentication encryption/decryption key generation processing unit 
21, two prime numbers p and q to be the first private key are generated, and the product n = p k q of these two prime 
numbers p and q is obtained as the first public key. Here, k is an arbitrary integer to be selected by accounting for the 
security level and the processing speed. Also, as can be seen from the formula n = p^ for the first public key n, the 

45 sizes of p and q can be made smaller when k is larger for a constant size (the number of digits, for example) of n, and 
the prime factoring becomes as much easier (that is, it becomes easier to learn the values of p and q) so that the security 
level of this cryptosystem becomes lower. Then, the least common multiple L is calculated from these two prime numbers 
p and q, and the second pubic key e and the second private key d are generated according to ed = 1 (mod L). 
[0079] Next, as the second stage (step S302), at the authentication message hashing processing unit 23, the plaintext 

50 authentication message M is hashed by using the hash function h to obtain the authenticator h(M), where it is assumed 
that 0 < h(M) < n. Here, the hash function is used in order to shorten the message length. For example, the hashing 
processing extracts several characters from the top of the message. Also, a certain level of the scrambling function is 
to be provided. Note that the same hash function is to be used at the sending side and the receiving side. 
[0080] Next, as the third stage (step S303), at the authenticator encryption processing unit 25, the encrypted authen- 

55 ticator h(C) is calculated by the technique of the aforementioned fast decryption algorithm, using the first public key n 
and the second private key d of the sending side. Note that, in the authentication, the decryption processing and the 
encryption processing become completely reversed from the case of the encryption/decryption scheme described above, 
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so that the calculation of the encrypted authenticator h(C) can be processed quickly by using the Chinese remainder 
theorem. 

[0081 ] After this calculation processing, the set of the encrypted authenticator h(C) and the authentication message 
M is transmitted to the receiving side through the communication path. 
5 [0082] Next, as the fourth stage (step S304), at the authenticator decryption processing unit 27, the receiving side 
decrypts the encrypted authenticator h(C) by calculating: 



h(M)t a h(C)« (mod n) 

10 

using the second public key e of the sending side, so as to obtain the first authenticator h(M) 1 . 

[0083] Next, as the fifth stage (step S305), at the authentication message hashing processing unit 29, the receiving 

side hashes the authentication message M by using the hash function h so as to obtain the second authenticator h(M) 2 . 
15 [0084] Then, as the sixth stage (step S306), at the authenticity verification processing unit 31 , the authenticity of the 

authentication message is judged according to whether the first authenticator h(M).j and the second authenticator h(M) 2 

coincide with each other or not, and an output indicating either coincide (Yes) or not coincide (No) is outputted. 

[0085] More specifically, the authentication scheme according to the present invention can be realized as follows. 

[0086] In the most general case, the sender side sets a first private key given by N (> 2) prime numbers p v p 2 , , 

20 p N> a first public key n given by a product p 1 k1 p 2 k2 Pn 1 ^ where k1, k2, , kN are arbitrary positive integers, a 

second public key e and a second private key d which satisfy: 



ed b l (mod L) 

25 

where L is a least common multiple of p r 1, p 2 -1, , p N -1. 

[0087] Then, the sender side obtains an authenticator h(M) by hashing the authentication message M using a hash 
function h, while obtaining an encrypted authenticator h(C) of the authenticator h(M) according to: 

30 

h(M) 5 h(C)« (mod n) 

35 by obtaining residues h(C) p1k1 , h(C) p2k2 , , h(C) pNkN modulo p/ 1 , p 2 k2 , , p N kN , respectively, of the encrypted 

authenticator h(C) using the loop calculation of the aforementioned fast decryption algorithm with respect to the first 
private key p v p 2 , , p N , and applying the Chinese remainder theorem to the residues h(C) p1k1 , h(C) p2k2 , , h 

(C)pNkN- 

[0088] Then, the encrypted authenticator h(C) and the authentication message M are sent from the sender to the 
40 receiver. 

[0089] Next, the receiver side obtains a first authenticator h(M)«, by calculating h(C) e (mod n) from the encrypted 
authenticator h(C) received from the sender using the second public key e, while obtaining a second authenticator h 
(M) 2 by hashing the authentication message M received from the sender using the hash function h. 
[0090] Then, an authenticity of the authentication message M is judged at the receiver side by checking whether the 
45 first authenticator h(M)., and the second authenticator h(M) 2 coincide or not. 

[0091 ] It should be apparent from the above that, in the specific case where the encrypted authenticator h(C) is obtained 
using the first private key given by three prime numbers p 1 = p, p 2 = q and p 3 = r and the first public key n given by a 
product p k of r™ where k = k1 , i - k2 and m = k3, the sender obtains the encrypted authenticator h(C) by first obtaining 
h(K) 0 p , h(K) 0 q and h(K) 0 r modulo p, q and r, respectively, by integer modular exponent calculations of: 

50 

h(K) 9 » :«= h(M) d * (mod p); 

55 

h(K)e« :<= h(M) d « (mod q); 
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h(K)e' := h(M) d ' (rood r); 



where: 



dp : = d (mod p-1) ; 



dq := d (mod q-1) ; 



dr := d (mod r-1) ; 



next obtaining the residues h(C) pk , h(C)^ and h(C) rm modulo p k , q' and r™, respectively, by applying the loop calculation 
to h(K) 0 P, h(K)^ and h(K) 0 r , respectively, and then applying the Chinese remainder theorem to the residues h(C) pk , h 
(C^andhtCW 

[0092] It should also be apparent from the above that, in the specific case where the encrypted authenticator h(C) is 
obtained using the first private key given by two prime numbers p 1 = p and p 2 = q and the first public key n given by a 
product p k q where k = k1 , the sender obtains the encrypted authenticator h(C) by first obtaining a residue h(K) a modulo 
p and a residue h(C) q modulo q of the encrypted authenticator h(C), by integer modular exponent calculations of: 

h(K)a := h(M) dp (mod p) ; 



h(C)q h(M) d « (mod q) ; 



where: 



dp := d (mod p-1) ; 



dq := d (mod q-1) ; 



next obtaining a residue h(C) pk modulo p k of the encrypted authenticator h(C) by applying the loop calculation to h(K) 0 , 
and then applying the Chinese remainder theorem to the residues h(C) pk and h(C) q . 
[0093] In this case, the loop calculation can be carried out as follows. 



h(A)o := h(K)o ; 

FORi = 1 to(k-1)do 
begin 

h(F); (h(A)i->*) (mod p' • ■ ); 
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h(E)» : = (h(M) - h(F)i ) (mod p j ♦ 1 ) ; 
h(B); := h(E)i /p 1 in Z; 
h(K); : = ((«h(F)i )-'h(A)i-ih(B)i ) (mod p); 
h(A)i := h(A)i-i ♦ p'MK); In Z; 



end 



h(C) P k := h ( A) k - 1 . 
[0094] Also in this case, the Chinese remainder theorem can be applied by the following calculation. 

qi q" 1 (mod p k ) ; 

vi := ((h(C)ok -h(C)o)qi) (mod p k ); 

h(C) := (h(C)o ♦ qvi ) . 

Alternatively, the Chinese remainder theorem can also be applied by the following calculation. 

pi :« (P k )* 1 (mod q) ; 
vi := ((h(C)q - h(C)pk)pt) (mod q); 

h(C) := (h(C)pw ♦ p k vi ). 

Alternatively, the Chinese remainder theorem can also be applied by the following calculation. 

pi := (P k )' 1 (mod q) ; 
qi := q~ 1 (mod p k ) ; 

h(C) := (qiqh(C)pk ♦ pip k h(C) Q ) (mod p k q). 

[0095] Note that, In the above described embodiment, each of the prime numbers has a size of about n 1/ ( k+1 ) which 
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is sufficient to prevent the number field sieve method and the elliptic curve method that are the fastest prime factoring 
algorithms currently known. Also, the second public key e can be set small so that the second private key d has about 
the same size as the least common multiple L Here, the least common multiple L has a size of n 2 ^ 1 ) which is smaller 
than that of the RSA cryptosystem so that it can contribute to the realization of the faster encryption/decryption. 
[0096] Also, in the above described embodiment, the case of k = 3 uses the composite number n = p 3 q as the modulus, 
so that the size of each of p and q becomes 1/4 of the size of n. The decryption processing modulo p 3 requires about 
the same amount of calculations as the processing modulo p, so that the processing modulo p 3 and the processing 
modulo q can be made 64 times faster Thus the overall processing can be made 32 times faster, which is considerably 
faster even in comparison with the conventionalQuisquater-Couvreur scheme that can realize four times faster decryption 
processing than the original RSA cryptosystem. 

[0097] As described, the cryptosystem according to the present invention uses N (> 2) prime numbers p 1( p 2 , , 

p N as the first private key and their product p t k1 p 2 k2 p N kN as the first public key n, so that it has the same security 

level as the conventionally known RSA cryptosystem on rational integer ring, while it is capable of realizing the faster 
encryption and decryption processing. In addition, it can be utilized for the authentication as well, and it is also capable 
of realizing the faster authenticator generation and authenticity verification. 

[0098] Moreover, the cryptosystem according to the present invention uses the second public key e as an encryption 
key and the second private key d as a decryption key which satisfy: 



cd s i (mod L) 

where L is a least common multiple of p r t , p 2 -1 , , p N -1 , so that the size of the decryption key d can be made about 

the same as the size of L. 

[0099] In contrast, in the case of the RSA cryptosystem for example, if p^ 1 p 2 k2 p N kN is to be used as the first 

public key n where p v p 2 , , p N are N (> 2) prime numbers, it is required to generate the encryption key e and the 

decryption key d which satisfy: 



ed a 1 (mod <*>(n)) 

where 



<P(n) = nd-l/pi Ml-l/pO — (1-1/pn ) 

is the Euler function, so that the size of the decryption key d becomes the same as the size of <|>(n) which is considerably 
larger than the size of L. 

[0100] It is to be noted that the above described embodiment according to the present invention may be conveniently 
implemented in forms of software programs for realizing the operations of the cipher communication system of Fig. 1 or 
the authentication system of Fig. 4, as will be apparent to those skilled in the computer art. Appropriate software coding 
can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent 
to those skilled in the software art. 

[0101] In particular, each of the encryption apparatus and the decryption apparatus of Fig. 1 and the sender apparatus 
and the receiver apparatus of Fig. 4 as described above can be conveniently implemented in a form of a software package. 
[0102] Such a software package can be provided in a form of a computer program product which employs a storage 
medium including stored computer code which is used to program a computer to perform the disclosed function and 
process of the present invention. The storage medium may include, but is not limited to, any type of conventional floppy 
disks, optical disks, CD-ROMs, magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, 
or any other suitable media for storing electronic instructions. 

[0103] It is also to be noted that, besides those already mentioned above, many modifications and variations of the 
above embodiments may be made without departing from the novel and advantageous features of the present invention. 
Accordingly, all such modifications and variations are intended to be included within the scope of the appended claims. 
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Claims 

1. A decryption method for decrypting a ciphertext C obtained from a plaintext M according to: 

5 

C = hf (mod n) 

using a first private key given by N > 2 prime numbers p v p 2 , .... p N , a first public key n given by a product p/ 1 , 

10 p ? k2 p N kN where k1 , k2 kN are arbitrary positive integers, a second public key e and a second private key d 

which satisfy: 

ed a 1 (mod L) 
where L is the least common multiple of p^l, p 2 -1 , p N -1 , the method comprising the steps of: 

obtaining residues M p1k1> M p2k2 , .... M pNkN modulo p/ 1 , p 2 k2 > p N kN , respectively, of the plaintext M using a 
loop calculation with respect to the first private key p 1( p2 , p N : and 

recovering the plaintext M by applying the Chinese remainder theorem to the residues M p1k1) M p2k2 , M pNkN ; 

CHARACTERIZED IN THAT 

the ciphertext C is obtained using the first private key given by two prime numbers = p and p 2 = q and the 
first public key n given by the product p k q where k = k1 ; 

the obtaining step obtains a residue modulo p and a residue M q modulo q of the plaintext M, by integer 
modular exponent calculations of: 



K 0 := P < mod P>; 

and 

35 

M<j := C d q (mod q) ; 

where: 

40 

dp := d (mod p-1) ; 

45 

and 



dq := d (mod q-1) ; 

50 

and obtains a residue M pk modulo p k of the plaintext M by applying the loop calculations to and 
the recovering steps applies the Chinese remainder theorem to the residues M pk and M q ; and 
the loop calculation is carried out by: 

55 

(a) setting := K^; 

(b) for i = 1 to (k-1), repeatedly calculating: 
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Fi := (Ai-i e ) (mod p i+1 ) ; 

Ei := (C - Fi) (mod p i+1 ) ; 
Bi := Bi/p 1 in Z; 
Ki := ((eFi) " 1 Ai. x Bi) (mod p) ; 

Ai := Ai-i + p 1 Ki in Z; 

and 

(c) setting M pk : = A k . 1 . 

The method of claim 1 , wherein the recovering step recovers the plaintext M by calculating: 

q x q" 1 (mod p k ) ; 
V! := ((M p k - Mq) qi) (mod p*) ; 

and 

M := (Mq + qVi) . 

The method of claim 1 , wherein the recovering step recovers the plaintext M by calculating: 

Pi := (P*)" 1 (mod q) ; 
Vi ((Mq - M pk ) pi) (mod q); 

and 

M (M p k + p k V X ) . 

The method of claim 1 , wherein the recovering step recovers the plaintext M by calculating: 

Pi (pV 1 < mod q) ' 

qi : = q* 1 (mod p k ) ; 
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and 



M := (qi qM p * + Pi p k Mq) (mod p k q) . 



An authentication method for authenticating an authentication message sent from a sender to a receiver, comprising 



(a) setting at the sender side a first private key given by N > 2 prime numbers p 1f p 2 , p N , a first public key n 
given by a product p/ 1 p 2 k2 ... where k1 , k2, ... kN are arbitrary positive integers, a second public key e 
and a second private key d which satisfy: 



where L is the least common multiple of p.,-1 , p 2 -1 , .... p N -1 ; 

(b) obtaining at the sender side an authenticator h(M) by hashing the authentication message M using a hash 
function h; 

(c) obtaining at the sender side an encrypted authenticator h(C) of the authenticator h(M) according to: 



by obtaining residues h(C) p1k1 , h (C) p2k2 , h (C) pNkN modulo p^ 1 , p 2 k2 p N kN , respectively, of the encrypted 

authenticator h(C) using a loop calculation with respect to the first private key p v p 2> p N ; and applying the 
Chinese remainder theorem to the residues h (C) p1k1 , h(C) p2k2 , .... h(C) pNkN . 

(d) sending the encrypted authenticator h (C) and the authentication message M from the sender to the receiver; 

(e) obtaining at the receiver side a first authenticator h(M) 1 by calculating h(C) e (mod n) from the encrypted 
authenticator h(C) received from the sender using the second public key e; 

(f) obtaining at the receiver side a second authenticator h(M) 2 by hashing the authentication message M received 
from the sender using the hash function h; and 

(g) judging the authenticity of the authentication message M at the receiver side by checking whether the first 
authenticator hfM^ and the second authenticator h(M) 2 coincide or not; 

CHARACTERIZED IN THAT 

the encrypted authenticator h(C) is obtained using the first private key given by two prime numbers p^ = p and 
p 2 = q and the first public key n given by the product p*q where k = k1 ; 

the step (c) obtains a residue h(K) 0 modulo p and a residue h(C) q modulo q of encrypted authenticator h(C), 
by integer modular exponent calculations of: 



the steps of: 



ed s 1 



(mod L) 



h(M) s h(C) e (mod n) 



h(K) 0 



:= h(M) 



d p (mod p) ; 



and 



h(C) q := h(M> 



d q (mod q) ; 



where: 
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dp :== d (mod p-1) ; 

and 

dq := d (mod q-1) ; 

and obtains a residue h(C) pk modulo p* of the encrypted authenticator h(C) by applying the loop calculation to 
h(K) 0 , and applies the Chinese remainder theorem to the residues h(C) pk and h(C) q ; and 
the loop calculation is carried out by: 

(a) setting h(A) 0 := h(K) 0 ; 

(b) for i = 1 to (k-1), repeatedly calculating: 

h(F)i := (h(A)i-i e ) (mod p Ul ) ; 

h(E)i := (h(M) - h(F)i) (mod p ifl ) ; 

h(B)i := hfEJi/p 1 in Z; 
h(K)i := ((eh(F)i) 1 h(A)i-! h(B)i) (mod p) ; 

h(A)i := h(A)i-! + p 1 h(K)iin Z; 

and 

(c) setting h(C) pk := h(A) k _ v 

The method of claim 5, wherein the step (c) applies the Chinese remainder theorem by calculating: 

q x := q* 1 (mod p k ) ; 
Vl := ((h(C) pk - h(C) q ) q x ) (mod p*) ; 

and 

h(C) := (h(C) q + qyx) . 
The method of claim 5, wherein the step (c) applies the Chinese remainder theorem by calculating: 

Pi := (pV 1 ("tod q) ; 
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v x := ((h(C)cj - h(C)p k ) p x ) (mod q) ; 

and 

h(C) := (h(C)p k + p k vj . 

8. The method of claim 5, wherein the step (c) applies the Chinese remainder theorem by calculating: 

Pi := (P*) "* (m° d q) i 
q x := q" 1 (mod p k ) ; 

and 

h(C) : = (qi qh(C) pk + pi p k h(C)q) (mod p k q) . 

9. A decryption apparatus for decrypting a ciphertext C obtained from a plaintext M according to: 



C s M e (mod n) 

using a first private key given by N > 2 prime numbers p 1t p 2 , .... p N , a first public key n given by a product p^ 1 
p 2 & ... p N kN where k1, k2, .... kN are arbitrary positive integers, a second public key e and a second private key 
key d which satisfy: 



ed = 1 (mod L) 

where L is the least common multiple of p r 1 , p 2 -1 p N -1 , the apparatus comprising: 

a calculation processing unit for obtaining residues M p1k1 , M p2k2 , ..... M pNkN module p1 k1 , p 2 k2 , .... p N kN , re- 
spectively, of the plaintext M using a loop calculation with respect to the first private key p v p 2 , p N ; and 
a decryption processing unit for recovering the plaintext M by applying the Chinese remainder theorem to the 
residues M plk1 , M p2k2 , .... M pNkN ; 

CHARACTERIZED IN THAT 

the ciphertext C is obtained using the first private key given by two prime numbers = p and p 2 = q and the 
first public key n given by the product p k q where k = k1 ; 

the calculation processing unit is adapted to obtain a residue modulo p and a residue M q modulo q of the 
plaintext M, by integer modular exponent calculations of: 



Kc := C d p (mod p) ; 



and 
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M, := C d q (mod q) ; 

where: 

dp := d (mod p-1) ; 

and 

dq := d (mod q-1) ; 

and is adapted to obtain a residue M pk modulo p k of the plaintext M by applying the loop calculation to K^; and 
the recovering decryption processing unit is adapted to apply the Chinese remainder theorem to the residues 
M pk and M q ; and 

the loop calculation is carried out by: 

(a) setting Ag := K^; 

(b) for i = 1 to (k-1 ), repeatedly calculating: 

Fi := (Ai^ e ) (mod p i+x ) ; 
Ei := (C - Fi) (mod p 1 * 1 ) ; 
Bi := Ei/p 1 in Z; 
Ki : = ((eFi)" 1 A^ x Bi) (mod p) ; 
Ai := Ai-i + p 1 Ki in 2; 

and 

(c) setting M pk : = A k . v 

10. A cipher communication system, comprising: 

a sender apparatus having: 

an encryption/decryption key generation processing unit for setting N > 2 prime numbers p 1( p 2 , Pn as 
a first private key, and a product p/ 1 p 2 ^ - pN kN as a first public key n, where k1, k2, .... kN are arbitrary 
positive integers, and determining a second public key e and a second private key d which satisfy: 

ed = 1 (mod L) 

where L is the least common multiple of p r 1, p 2 -1, .... p N -1, using the first private key; and 
an encryption processing unit for obtaining a ciphertext C from a plaintext M according to: 
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C s H 6 (mod n) 

using the first public key n and the second public key e; and 

a receiver apparatus having: 

a calculation processing unit for obtaining residues M p1kl , M p2k2 M pNkN modulo p/ 1 ' p 2 k2 , .... p N kN , 

respectively, of the plaintext M using a loop calculation with respect to the first private key p.,, p 2 , p N ; and 
a decryption processing unit for recovering the plaintext M by applying the Chinese remainder theorem to 
the residues M p1k1> M p2k2 .... M pNkN ; 

CHARACTERIZED IN THAT 

the ciphertext C is obtained using the first private key given by two prime numbers p n = p and p 2 = q and the 
first public key n given by the product p k q where k = k1 ; 

the calculation processing unit is adapted to obtain a residue Kg modulo p and a residue M q modulo q of the 
plaintext M, by integer modular exponent calculations of: 

Ko : = C d p (mod p) ; 

and 

M q := C d q (mod q) ; 



where: 



dp : = d (mod p-1) ; 

and 



dq := d (mod q-1) ; 

and is adapted to obtain a residue M pk modulo p k of the plaintext M by applying the loop calculation to K^; and 
the decryption processing unit is adapted to apply the Chinese remainder theorem to the residues M pk and M q ; 
and 

the loop calculation is carried out by: 

(a) setting \ := K 0 ; 

(b) for i = 1 to (k-1), repeatedly calculating: 

Fi := (Ai-x*) (mod p 1 * 1 ) ; 



Ei := (C - Fi) (mod p 1 * 1 ) ; 
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Bi := Ei/p 1 in Z; 



5 



Ki := ((eFi)" 1 Ai.! Bi) (mod p) ; 



Ai := Ai.i + P A Ki in Z; 



w 



and 



(c) setting M pk : = A k . t . 

11. An authentication message sender apparatus for use in authenticating an authentication message sent from a 
sender to a receiver, the apparatus comprising: 



an encryption/decryption key generation processing unit for setting at the sender side a first private key given 
by N > 2 prime numbers p v p 2> p N a first public key n given by a product p^ 1 p 2 k2 ... P N kN where k1 . 
kN are arbitrary positive integers, a second public key e and a second private key d which satisfy: 



where L is the least common multiple of p r 1 f p 2 -1, .... Pn -1 ! 

an authentication message hashing processing unit for obtaining at the sender side an authenticator h(M) by 
hashing the authentication message M using a hash function h; and 

an authenticator encryption processing unit for obtaining at the sender side an encrypted authenticator h(C) of 
the authenticator h(M) according to: 



by obtaining residues h(C) p1k1 , h(C) p2k2 .... f h(C) pNkN modulo p/ 1 , p 2 k2 , .... p N kN , respectively, of the encrypted 
authenticator h(C) using a loop calculation with respect to the first private key p 1f p 2> .... p N , and applying Chinese 
remaindertheoremtothe residues h(C) p1k1 , h(C) p2k2 , .... h(C) pNkN and then sending the encrypted authenticator 
h(C) and the authentication message M to the receiver; 

CHARACTERIZED IN THAT 

the encrypted authenticator h(C) is obtained using the first private key given by two prime numbers p, = p and 
p 2 = q and the first public key n given by the product p k q where k= k1 ; 

the authentication encryption processing unit is adapted to obtain a residue h(K) 0 modulo p and a residue h 
(C) q modulo q of the encrypted authenticator h(C), by integer modular exponent calculations of: 



15 



20 



ed a 1 (mod L) 



30 



h(M) b h(C) e (mod n) 



45 



h(K)o := h(M) 



d p (mod p) ; 



and 



50 



h(C) q := h(M) 



d q (mod q) ; 



where: 
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w 



dp := d (mod p-1) ; 

and 

dq := d (mod q-1) ; 

and is adapted to obtain a residue h(C) pk modulo p k of the encrypted authenticator h(C) by applying the loop 
calculation to h(K) 0 , and to apply the Chinese remainder theorem to the residues h(C) pk and h(C) q ; and 
the loop calculation is carried out by: 

is (a) setting h(A) 0 := h(K) 0 ; 

(b) for i = 1 to (k-1 ), repeatedly calculating: 

h(F)i := (h(A)i-! e ) (mod p m ); 

20 

h(E)i := (h(M) - h(F)i) (mod p Ul ) ; 
25 h(B)i h(E) i /p i in 2; 

h(K)i := ((eh(F)i)' 1 MAh-x h(B)i) (mod p) ; 
h(A)i : = h(A)i-i + p 1 h(K)i in Z; 



30 



35 



40 



45 



and 

(c) setting h(C) pk : = h (A) k _ v 

12. An authentication system for authentication of an authentication message sent from a sender to a receiver, the 
system comprising: 

a sender apparatus having: 

an encryption/decryption key generation processing unit for setting at the sender side a first private key 
given by N > 2 prime numbers p 1f p 2 , .... p N a first public key n given by a product p/ 1 p 2 k2 ... p N kN where 
k1 , k2, kN are arbitrary positive integers, a second public key e and a second private key d which satisfy: 



ed s 1 (mod L) 



where L is the least common multiple of p r 1 , p 2 -1 , .... Pn _ 1 ; 

an authentication message hashing processing unit for obtaining at the sender side an authenticator h(M) 
by hashing the authentication message M using a hash function h; and 

an authenticator encryption processing unit for obtaining at the sender side an encrypted authenticator h 
(C) of the authenticator h(M) according to: 
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h(M) = h(C) e (mod n) 

by obtaining residues h(C) p1k1 , h(C) p2k2 h(C) pNkN modulo p,* 1 , p 2 k? , .... Pn™ respectively, of the en 

crypted authenticator h(C) using a loop calculation with respect to the first private key p lf p^ .... Pn . a " d 
applying the Chinese remainder theorem to the residues h(C) p1k1 h(C)p 2k2 , .... h(C) pNkN and then sending 
the encrypted authenticator h(C) and the authentication message M to the receiver; and 

a receiver apparatus having: 

an authenticator decryption processing unit for obtaining a first authenticator h(M) 1 by calculating h(C) e 
(mod n) from the encrypted authenticator h(C) received from the sender using the second public key e; 
an authentication message hashing processing unit for obtaining a second authenticator h(M) 2 by hashing 
the authentication message M received from the sender using the hash function h; and 
an authenticity verification processing unit forjudging an authenticity of the authentication message M by 
checking whether the first authenticator h(M) 1 and the second authenticator h(M) 2 coincide or not; 

CHARACTERIZED IN THAT 

the encrypted authenticator h(C) is obtained using the first private key given by two prime numbers p t = p and 
p 2 = q and the first public key n given by the product p k q where k = k1 ; 

the authentication encryption processing unit is adapted to obtain a residue h(K) 0 modulo p and a residue h 
(C) q modulo q of the encrypted authenticator h(C), by integer modular exponent calculations of: 

h(K) 0 := h(M) dp (mod p) ; 



and 



h(C) q ;= h(M) dq (mod q) ; 



where: 



dp d (mod p-1) ; 



and 



dq d (mod q-1) ; 

and is adapted to obtain a residue h(C) pk modulo p k of the encrypted authenticator h(C) by applying the loop 
calculation to h(K) 0I and to apply the Chinese remainder theorem to the residues h(C) pk and h(C) q ; and 
the loop calculation is carried out by: 

(a) setting h(A) 0 := h(K) fl ; 

(b) for i = 1 to (k-1), repeatedly calculating: 



h(F)i := (MA)!.! 6 ) (mod p 1 * 1 ) ; 
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h{E)i := 



(h(M) - h(F)i) (mod p 1 * 1 ) ; 



h(B)i 



= htEJi/p 1 in Z; 



h(K)i := ((eh(F)i)- 1 h(A) i - 1 h(B)i) (mod p) ; 



h(A)i := h(A)i.i + p^UOi in Z; 



and 



(c) setting h(C) pk : = h(A) M . 

13. Acomputerusablemediumhavingcomputerreadable program 

to function as a decryption apparatus for decrypting a ciphertext C obtained from a plaintext M according to: 



using a first private key given by N > 2 prime numbers p v p 2 , p N a first public key n given by a product p, k1 p 2 k2 
- p N kN , where k1 , k2, .... kN are arbitrary positive integers, a second public key e and a second private key d which 
satisfy: 



where L is the least common multiple of p r 1 , p 2 -1 , p N -1 , the computer readable program code means includes: 

first computer readable program code means for causing said computer to obtain residues M p1k1 , M p2k2> .... 
M P NkN modulo P/ 1 - p 2 k2 1 P N kN , respectively, of the plaintext M using a loop calculation with respect to the 
first private key p 1f p 2 p N ; and 

second computer readable program code means for causing said computer to recover the plaintext M by applying 
the Chinese remainder theorem to the residues M p1k1 , M p2k2 , .... M pNkN . 

CHARACTERIZED IN THAT 

the ciphertext C is obtained using the first private key given by two prime numbers = p and p 2 = q and the 
first public key n given by the product p k q where k = k1 : 

the first computer readable program code means obtains a residue modulo p and a residue M q modulo q of 
the plaintext M, by integer modular exponent calculations of: 



C s M 1 



i c (mod n) 



ed = 1 (mod L) 



: = C d p (mod p) ; 



and 



:= C a q (mod q) ; 



where: 
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dp := d (mod p-1) ; 

and 

dq := d (mod g-1) ; 

and obtains a residue M pk modulo p k of the plaintext M by applying the loop calculations to and 

the second computer readable program code means applies the Chinese remainder theorem to the residues 

M pk and M q ; and 

the loop calculation is carried out by: 

(a) setting Ag := Kq', 

(b) for i = 1 to (k-1 ), repeatedly calculating: 

Fi := (Ai-x e ) (mod p 1 * 1 ) ; 
Ei := (C - Fi) (mod p Ul ) ; 
Bi := Ei/p 1 ill Z; 
Ki ( (eFi)" 1 Ai-! Bi) (mod p) ; 
Ai := Ai-x + P 1 Ki in Z; 

and 

(c) setting M pk : = A k .-,. 

1 4. A computer usable medium having computer readable program code means embodied therein for causing a computer 
to function as an authentication message sender apparatus for use in authenticating an authentication message 
sent from a sender to a receiver, the computer readable program code means includes: 

first computer readable program code means for causing said computer to set at the sender side a first private 
key given by N > 2 prime numbers p 1p p 2 , p N , a first public key n given by a product p/ 1 p 2 & •» p N kN , where 
k1, k2, kN are arbitrary positive integers, a second public key e and a second private key d which satisfy: 



ed s 1 (mod L) 

where L is the least common multiple of p 1 -1, p 2 -1 p N ..,; 

second computer readable program code means for causing said computer to obtain at the sender side an 
authenticator h(M) by hashing the authentication message M using a hash function h; and 
third computer readable program code means for causing said computer to obtain at the sender side an encrypted 
authenticator h(C) of the authenticator h(M) according to: 



h(M) = h(C) e (mod n) 
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by obtaining residues h(C) p1k1 h(C) p2k2 , .... h(C) pNkN modulo p^ 1 , p 2 k2 > .... p N kN , respectively, of the encrypted 
authenticator h(C) using a loop calculation with respect to the first private key p v p 2> p N , and applying the 
Chinese remainder theorem to the residues h(C) p1kl h(C) p2k2 , h(C) pNkN , and then sending the encrypted 
authenticator h(C) and the authentication message M to the receiver: 

CHARACTERIZED IN THAT 

the encrypted authenticator h(C) is obtained using the first private key given by two prime numbers p 1 = p and 
p 2 = q and the first public key n given by the product p k q where k = k1 ; 

the third computer readable program code means obtains a residue h(K) 0 modulo p and a residue h(C) q modulo 
q of encrypted authenticator h(C), by integer modular exponent calculations of: 

h(K) 0 := h(M) d p (mod p) ; 

and 

h(C) q := h(M) dq (mod q) ; 

where: 



dp := d (mod p-1) ; 

and 

dq := d (mod q-1) ; 

and obtains a residue h(C) pk modulo p k of the encrypted authenticator h(C) by applying the loop calculation to 
h(K) 01 and applies the Chinese remainder theorem to the residues h(C) pk and h(C) q ; and 
the loop calculation is carried out by: 

(a) setting h(A) 0 := h(K) 0 ; 

(b) for i = 1 to (k-1), repeatedly calculating: 

h(F)i := (htAJi-! 6 ) (mod p i+1 ); 
h(E)i := (h(M) - h(F)i) (mod p u ); 
h(B)i := (hfEJi/p 1 in Z; 
h(K)i ( (eh(F)i)* 1 h(A)i_i h(B)i) (mod p); 
h(A)i := h(A)i.! + p 1 h(K)i in Z; 

and 

(c) setting h(C) pk := h(A) k . v 
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Patentanspruche 

1. Entschlusselungsverfahren zum Entschlusseln eines Ch'rffre-Textes C, der aus einem Klartext M erhalten wird, 
gemaB: 



C = M e (mod n) 

unter Verwendung eines ersten privaten Schlussels, der durch N > 2 Primzahlen p 1p p 2 , p N gegeben ist, eines 
ersten off entlichen Schlussels n, der durch ein Produktp^ 1 , p 2 ^ Pn™ gegeben ist, wobei k1, k2, kN beliebige 
positive Ganzzahlen sind, eines zweiten offentlichen Schlussels e und eines zweiten privaten Schlussels d, die 
erfullen: 



ed = 1 (mod L) 

wobei L das kleinste gemeinsame Vieifache von p r 1 , p 2 -1 , .... p N -1 ist, wobei das Verfahren die Schritte umfasst: 

Erhalten von Rediduen M p1k1 , M p2 k 2 , M pNkN modulo p/ 1 , p 2 k2 , .... p n kN jeweils des Klartextes M unter 
Verwendung einer Schleifenberechnung bezuglich des ersten privaten Schlussels p v p 2 , p N ; und 
Wiedergewinnen des Klartextes M durch ein Anwenden des chinesischen Restsatzes auf die Residuen M pk1 , 

Mp2k2' M pNkN I 
dadurch gekennzeichnet, dass 

der Chiffre-Text C unter Verwendung des ersten privaten Schlussels, der durch zwei Primzahlen p 1 = p und p 2 
= q gegeben ist, und des ersten offentlichen Schlussels n, der durch das Produkt p k q gegeben ist, erhalten 
wird, wobei k = k1 ; 

der Erhaltungsschritt ein Residuum modulo p und ein Residuum M q modulo q des Klartextes M durch 
ganzzahlige modulare Exponentenberechnungen von: 

k0 : = C d P (mod p) ; 

und 

M q : = C d q (mod q) ; 

wobei: 

dp: = d (mod p-1) ; 

und 

dq: = d (mod q-1) ; 

erhalt, und ein Residuum M pk modulo p k des Klartextes M beim Anwenden der Schleifenberechnungen aus 
erhalt; und 

die Wiedergewinnungsschritte den chinesischen Restsatz auf die Residuen M pk und M q anwenden; und 
die Schleifenberechnung ausgefuhrt wird durch: 
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(a) Setzen von A0; = Kq; 

(b) fur i = 1 bis (k-1), wiederholtes Berechnen: 



F i: = (Ai^e) (mod pi+1) ; 
E i: = (C - Fi) (mod p i+1 ) ; 
B i : 88 E i/P i in z ; 
K i: = ((eFi)" 1 Ai.x Bi) (mod p) ; 

A i : = + P X K i in Z; 

und 

(c) Setzen von M pk : = A^.,. 

Verfahren nach Anspruch 1 , wobei der Wiedergewinnungsschritt den Klartext M durch ein Berechnen wiedergewinnt: 

qi : = q"" 1 (mod p k ) ; 
vl: = ((M p k - M q ) q x ) (mod p k ) ; 

und 

M: = (Mg + qvi) . 
Verfahren nach Anspruch 1 , wobei der Wiedergewinnungsschritt den Klartext M durch ein Berechnen wiedergewinnt: 



p x : = (p k ) - 1 (mod q) ; 
vl: = ( (M q - M p ^ pi) (mod q) ; 



und 



M: = (M p k + p k v x ) . 
Verfahren nach Anspruch 1 , wobei der Wiedergewinnungsschritt den Klartext M durch ein Berechnen wiedergewinnt: 

Pi : = (p k ) - 1 (mod q) ; 
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M: = (q 1 qM p k + Pi P k M q> (mod P 1 ^ • 

Authentifizierungsverfahren zum Authentlfizieren einer Authentifizierungsnachricht, die von einem Senderzu einem 
Empfanger gesendet wird, umfassend die Schritte: 

(a) Setzen, auf der Senderseite, eines ersten privaten Schlussels, der durch N > 2 Primzahlen p 1f p 2 , p N 
gegeben ist, eines ersten offentlichen Schlussels n, der durch ein Produkt p^ 1 p^ ... p N kN gegeben ist, wobei 
k1, k2, ... kN beliebig positive Ganzzahlen sind, eines zweiten offentlichen Schlussels e und eines zweiten 
privaten Schlussels d, die erfullen: 



ed = 1 (mod L) , 
wobei L das kleinste gemeinsame Vietfache von p r 1, p 2 -1 , .... Pn _1 ist i 

(b) Erhalten, auf der Senderseite, eines Authentikators h(M) durch ein Zerhacken der Authentifizierungsnachricht 
M unter Verwendung einer Zerhackungsfunktion h; 

(c) Erhalten, auf der Senderseite, eines verschlusselten Authentikators h(C) des Authentikators h(M) gemaB: 



h(M) = h(C) e (mod n) 

durch ein Erhalten von Residuen h(C) p1k1 , h(C) p2k2 , .... h(C) pNkN modulo p/ 1 , p 2 k2 , .... p N kN , jeweils des ver- 
schlusselten Authentifikators h(C) unter Verwendung einer Schleifenberechnung bezuglich des ersten privaten 
Schlussels p 1t p 2> p N und ein Anwenden des chinesischen Restsatzes auf Residuen h(C) p1M , h(C) p2k2 , 

n ( C )pNkN» 

(d) Senden des verschlusselten Authentifikators h(C) und der Authentifizierungsnachricht M von dem Sender 
zu dem Empfanger, 

(e) Erhalten, auf der Empfangerseite, eines ersten Authentifikators durch ein Berechnen von h(C) e (mod 
n) aus dem verschlusselten Authentifikator h(C), der von dem Sender empfangen wird, unter Verwendung des 
zweiten offentlichen Schlussels e; 

(f) Erhalten, auf der Empfangerseite, eines zweiten Authentifikators h(M) 2 durch ein Zerhacken der Authentifi- 
zierungsnachricht M, die von dem Sender empfangen wird, unter Verwendung der Zerhackungsfunktion h; und 

(g) Beurteilen der Authentizitat der Authentifizierungsnachricht M auf der Empfangerseite durch ein Uberprufen, 
ob der erste Authentifikator h(M)-j und der zweite Authentifikator h(M) 2 ubereinstimmen oder nicht; 

dadurch gekennzeichnet, dass 

der verschlusselte Authentifikator h(C) unter Verwendung des ersten privaten Schlussels, der durch zwei Prim- 
zahlen p 1 = p und p 2 = q gegeben ist, und den ersten offentlichen Schlussel n, der durch das Produkt p k q 
gegeben ist, wobei k = k1 , erhalten wird; 

der Schritt (c) ein Residuum h(K) 0 modulo p und ein Residuum h(C) q modulo q des verschlusselten Authenti- 
fikators h(C) durch ganzzahlige modulare Exponentenberechnungen von: 

h(K)0: = h(M) d P (mod p) ; 

und 



34 



EP0 946 018 B1 

11(C)!: = h(M) d q (mod q) ; 



erhalt, wobei: 

dp: = d (mod p-1) ; 

und 

dq: = d (mod q-1) ; 

und ein Residuum h(C) pk modulo p k des verschlusseften Authentifikators h(C) durch ein Anwenden der Schlei- 
fenberechnung auf h(K) 0 erhalt, und den chinesischen Restsatz auf die Residuen h(C) pk und h(C) k anwendet; 
und 

die Schle'rfenberechnung ausgefuhrt wird durch: 

(a) Setzen von h(A) 0 : = h(K) 0 ; 

(b) fur i = 1 bis (k - 1), wiederhoftes Berechnen: 

h(F) i: = (h(A) i . 1 e ) (mod p i+1 ); 
h(E)j: = (h(M) - h(F)i) (mod p i+1 ) ; 
h(B)i: - h(E) i /p i in Z; 
h(K)i: = ((eh(F)i)- 1 h(A) i _ 1 h(B)i) (mod p) ; 
h(A)i: - h(A)i-i + p i h(K) i in Z; 

und 

(c) Setzen von h(C) pk : = h(A) k ^ 

Verfahren nach Anspruch 5, wobei der Schritt (c) den chinesischen Restsatz anwendet durch ein Berechnen: 

qi : = q" 1 (mod p k ) / 
vi: = ((h(C)p k - h(C) q ) qi) (mod p k ) ; 

und 

h(C) : = (h(C) q + qv x ) . 
Verfahren nach Anspruch 5, wobei der Schritt (c) den chinesischen Restsatz anwendet durch ein Berechnen: 
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Pl : = (p k ) -1 (mod q) ; 
qi : = ((h(C)g - h(C) p k) Pi) (mod q) ; 

und 

h(C) : = (h(C)p k + p k v x ) . 
Verfahren nach Anspruch 5, wobei der Schritt (c) den chinesischen Restsatz anwendet durch ein Berechnen: 

Pl : = (p k ) ' 1 (mod q) ; 

q 1 : = q-1 (mod p k ) ; 

und 

h(C) : = (qi qh(C) p k + Pl P k h(C)q) (mod p*q) . 

Entschlusselungsvorrichtung zum Entschlusseln eines Chiff re-Text es (C), der aus einem Klartext M erhatten wird, 
gemaB: 



C = M e (mod n) 

unter Verwendung eines ersten privaten Schlussels, der gegeben ist durch N > 2 Primzahlen p 1( p 2 , p N , eines 
ersten offentlichen Schlussels n, der gegeben ist durch ein Produkt p^ 1 , pj* 2 , .... p^jkN, wo bei k1 , k2, kN beliebige 
positive Ganzzahlen sind, eines offentlichen Schlussels e und eines zweiten privaten Schlussels d, die erfullen: 

ed = 1 (mod L) 

wobei L das kleinste gemeinsame Vielfache von p r 1, p 2 -1, p N -1 ist, wobei die Vorrichtung umfasst: 

eine Berechnungsverarbeitungseinheit zum Erhalten von Residuen M p1k1 , M p2k2 , .... M pNkN modulo p/ 1 , 
p 2 ^2 _ t P|sJ kN jeweils des Klartextes M unter Verwendung einer Schleifenberechnung bezuglich des ersten 
privaten Schlussels p 1( p 2( p N ; und 

eine Entschlusselungsverarbeitungseinheit zum Wiedergewinnen des Klartextes M durch ein Anwenden des 
chinesischen Restsatzes auf die Residuen M p iki, M p2k2 , .... M pNkN ; 

dadurch gekennzeichnet, dass 

der Chiffre-Text C unter Verwendung des ersten privaten Schlussels, der gegeben ist durch zwei Primzahlen 
p 1 = p und p 2 = q, und des ersten offentlichen Schlussels n, der gegeben ist durch das Produkt p k q, wobei k = 
k1 , erhalten wird; 

die Berechnungsverarbeitungseinheit ausgelegt ist, ein Residuum K0 modulo p und ein Residuum M q modulo 
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q des Klartextes M durch ganzzahlige modulare Exponentenberechnungen von: 

K0: = C d P (mod p) ; 

und 

M q : = C d q (mod q) ; 

zu erhalten, wobei: 



dp: = d (mod p-1) ; 

und 

dq: = d (mod q-1) ; 

und ausgelegtist, ein Residuum M pk modulo p k des Klartextes M durch ein Anwenden derSchleifenberechnung 
auf K0 zu erhalten; und 

die Wiedergewinnungs-EntschlusselungsVerarbeitungseinheit ausgelegt ist, den chinesischen Restsatz auf die 

Residuen M pk und M q anzuwenden; und 

die Schleifenberechnung ausgefuhrt wird durch: 

(a) Setzen von = 

(b) fur i = 1 bis (k-1), wiederholtes Berechnen: 

F i: = (Ai.i e ) (mod p i+1 ) ; 

E i: = (C - Fi) (mod p i+1 ) ; 

Ki: = ((eFi)' l Ai-i Bi) (mod p) ; 
Ai: = Ai_x + piKi in Z; 

und 

(c) Setzen von M pk : = A M 

10. Chiffre-Kommunikationssystem, umfassend: 
eine Sendervorrichtung, die aufweist: 

eine VerschlusselungsyEntschlusselunp^-Schlusselerzeugungs-Verarbeitungseinheit zum Setzen von N > 2 
Primzahlen p 1t p 2 , .... p N als einen ersten privaten Schlussel, und ein Produkt p/ 1 , pg* 2 , .... p N kN als einen 
ersten offenttichen Schlussel n, wobei k1, k2, kN beliebige positive Ganzzahlen sind, und zum Bestimmen 
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eines zwe'rten offentlichen Schlussels e und eines zweiten privaten Schlussels d, die erfullen: 



ed = 1 (mod L) 

5 

wobei L das kleinste gemeinsame Vielfache von p r 1 , p 2 -1 , .... p N -1 ist, unter Verwendung des ersten privaten 
Schlussels; und 

eine Verschlusselungsverarbeitungseinheitzum Erhalten eines Chiffre-Textes C aus einem Klartext M gemSB: 

10 

C = M e (mod n) 

15 unter Verwendung des ersten- offentlichen Schlussels n und des zweiten offentlichen Schlussels e; und 

eine Empfangervorrichtung, die aufweist: 

eine Berechnungsverarbeitungseinheit zum Erhalten von Residuen M p1k1 , M p2k2 , M pNkN modulo p t k1 , 
P2* 2 , .... p n kN jeweils des Klartextes M unter Verwendung einerSchleifenberechnung bezuglich des ersten 
20 privaten Schlussels p 1f p 2 , Pn; und 

eine Entschlusselungsverarbeitungseinheit zum Wiedergewinnen des Klartextes M durch ein Anwenden 
des chinesischen Restsatzes auf die Residuen M p1k1 , M p2k2 , M p iMkN» 

dadurch gekennzeichnet, dass 

25 

der Chiffre-Text C unter Verwendung des ersten privaten Schliissels, der gegeben ist durch zwei Primzahlen 
Pt = p und p 2 = q und des ersten offentlichen Schlussels n, der gegeben ist durch das Produkt p k q, wobei k = 
k1 p erhalten wird; 

die Berechnungsverarbeitungseinheit ausgelegt ist, ein Residuum modulo p und ein Residuum M q modulo 
30 q des Klartestes M durch ganzzahlige modulare Exponentenberechnungen von: 



K0: = C d P (mod p) ; 

35 

und 

M q : = C d q (mod q) ; 

40 

zu erhalten, wobei: 



45 



und 



50 



dp : = d (mod p-1) ; 



dq: = d (mod q-1) ; 



und ausgelegt ist, ein Residuum M pk modulo p k des Klartextes M durch ein Anwenden der Schleifenberechnung 
55 auf K0 zu erhalten; und 

die Entschlusselungsverarbeitungseinheit ausgelegt ist, den chinesischen Restsatz auf die Residuen M pk und 
M q anzuwenden; und 

die Schleifenberechnung ausgefiihrt wird durch: 
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(a) Setzen von = 

(b) fur i = 1 bis (k-1), wiederholtes Berechnen: 

Fi: = (Ai-i e ) (mod p i+1 ) ; 



E i: = (C - Fi) (mod p i+1 ) ; 



Ki: = ((eFi)" 1 Ai-1 Bi) (mod p) ; 



Ai: = Ai_ x + piKi in Z; 

und 

(c) Setzen von M pk : = A k-1 . 

11. Authentifiziemngsnachricht-SendeivorrichtungzurVerwendungbeimAuthem 

richt, die von einem Sender zu einem Empf anger gesendet wird, wobei die Vorrichtung umfasst 

eine Verschlusselungs-/Entschlusselungs-Schlusselerzeugungsverarbeitungseinheit zum Setzen, auf der Sen- 
derseite, eines ersten privaten Schlussels, der gegeben ist durch N > 2 Primzahlen p 1p p 2 , p N , eines ersten 
offentlichen Schlussels n, der gegeben ist durch ein Produkt p/ 1 , p 2 k2 , .... p N kN , wobei k1, k2, .... kN beliebige 
positive Ganzzahlen sind, eines zweiten offentlichen Schlussels e und eines zweiten privaten Schlussels d, die 
erfullen: 



ed = 1 (mod L) 
wobei L das kleinste gemeinsame Vielfache von p l -1 p P 2 -1, Pn-1 ist; 

eine Authentifizierungsnachricht-Zerhackungsverarbeitungseinheit zum Erhalten, auf der Senderseite, eines 
Authentifikators h(M) durch ein Zerhacken der Authentifizierungsnachricht M unter Verwendung einer Zerhak- 
kungsfunktion h; und 

eine Authentifizierungs-Verschlussungs-Verarbeitungseinheit zum Erhalten, auf der Senderseite, eines ver- 
schlusselten Authentifikators h(C) des Authentifikators h(M) gema3: 



h(M) = h(C) e (mod n) 

durch ein Erhalten von Residuen h(C) p1kl , h(C) p2k2 , .... h(C) pNkN modulo p^ 1 , p 2 k2 , p N kN jeweils des ver- 
schlusselten Authentifikators h(C) unter Verwendung einer Schleifenberechnung bezuglich des ersten privaten 
Schlussels p 1( p 2 , .... p N und durch ein Anwenden des chinesischen Restsatzes auf die Residuen h(C) p1k1 , h 
( c )p2k2» n ( c ) P NkN und dann ein Senden des verschlusselten Authentifikators h(C) und der Authentifikations- 
nachricht M zu dem Empfanger; 

dadurch gekennzeichnet, dass 

der verschlusselte Authentifikator h(C) unter Verwendung des ersten privaten Schlussels, der gegeben ist durch 
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zwei Primzahlen p A = p und p 2 = q und des ersten offentiichen SchlOssels n, der gegeben ist durch das Produkt 
p k q, wobei k = k1 , erhalten wird; 

die Authentifiziemngs-VerechlusselungsVerait)eitungseinheit ausgelegt ist, ein Residuum h(K) 0 modulo p und 
ein Residuum h(C) q modulo q des verschlusselten Authentifikators h(C) durch ganzzahlige modulare Exponen- 
tenberechnungen von: 

h(K)0: = h(M) d P (mod p) ; 

und 

h(C)x: = h(M) d Q (mod q) ; 

zu erhalten, wobei: 



dp: = d (mod p-1) ; 

und 

dq: = d (mod q-1) ; 

und ausgelegt ist, ein Residuum h(C) pk modulo p k des verschlusselten Authentifikators h(C) du rch ein Anwenden 
der Schleifenberechnung auf h(K) 0 zu erhalten und den chinesischen Restsatz auf die Residuen h(C) pk und h 
(C) q anzuwenden; und 

die Schleifenberechnung ausgefuhrt wird durch: 

(a) Setzen von h(A) 0 : = h(K) 0 ; 

(b) fur i = 1 bis (k - 1), wiederholtes Berechnen: 

h(F>i: - (h(A)i,! e ) (mod p i + 1 ); 
h(B)i: = (h(M) - h(F)i) (modp i + 1 ); 
h(B)i: = h(E) i /p i in Z; 
h(K)i: = ((eh(F)i)- 1 h(A) i . 1 h(B)i) (mod p) ; 
h(A)i: = h(A)i-i + p i h(K) i in Z; 

und 

(c) Setzen von h(C) pk : = h(A) k . v 

12. Authentifizierungssystem zur Authentifizierung einer Authentifizierungsnachricht, die von einen Sender zu einem 
Empfanger gesendet wird, wobei das System umfasst: 



40 



EP0 946 018 B1 



eine Sendervorrichtung, die aufweist: 

eine VerschlusselungsVEntschlOsselungs-SchlDsselerzeugungsverarbeitungseinheit zum Setzen, auf der 
Senderseite, eines ersten privaten Schlussels, der gegeben ist durch N > 2 Primzahlen p, , p 2 , p N , eines 
ersten offentlichen Schlussels n, der gegeben ist durch ein Produkt p, k1 , p^, p N kN , wobei k1, k2, .... 
kN beliebige positive Ganzzahlen sind, eines zweiten offentlichen Schlussels e und eines zweiten privaten 
Schlussels d, die erfullen: 

ed = 1 (mod L) 
wobei L das kleinste gemeinsame Vielfache von p 1 -1 l p 2 -1 , Pn' 1 ist J 

eine Authentifizierungsnachricht-Zerhackungsverabeitungseinheit zum Erhalten, auf der Senderseite, eines 
Authentifikators h(M) durch ein Zerhacken der Authentifizierungsnachricht M unter Verwendung einer Zerhak- 
kungsfunktion h; und 

eine Authentifizierungs-Verschlussungs-Verarbeitungseinhert zum Erhalten, auf der Senderseite, eines ver- 
schlusselten Authentifikators h(C) des Authentifikators h(M) gemaB: 

h(M) = h(C) e (mod n) 

durch ein Erhalten von Residuen h(C) p1k1 , h(C) p2k2 , h(C) pNkN modulo p^ 1 , p 2 k2 , .... p f4 kN jeweils des ver- 
schlusselten Authentifikators h(C) unter Verwendung einer Schleifenberechnung beztiglich des ersten privaten 
Schlussels p 1t p 2 , .... p N und durch ein Anwenden des chinesischen Restsatzes auf die Residuen h(C) p1k1> h 
( c ) P 2k2» »•« n ( c ) P NkN und dann ejn Senden des verschlusselten Authentifikators h(C) und der Authentifikations- 
nachricht M zu dem Empfanger; und 
eine Empfangervorrichtung, die aufweist: 

eine Authentifikator-EntschlusselungsVerarbeitungseinheit zum Erhalten eines ersten Authentifikators h 
(M) 1 durch ein Berechnen von h(C) e (mod n) aus dem entschlusselten Authentifikator h(C), der von dem 
Sender empfangen wird, unter Verwendung des zweiten offentlichen Schlussels e; 
eine Authentifizierungsnachricht-Zerhackungsverarbeitungseinheit zum Erhalten eines zweiten Authentifi- 
kators h(M) 2 durch ein Zerhacken der Authentifizierungsnachricht, die von dem Sender empfangen wird, 
unter Verwendung der Zerhackungsfunktion h; und 

eine Authentizitats-Verifikations-Verarbeitungseinheit zum Beurteilen der Authentifizitat der Authentifizie- 
rungsnachricht M durch ein Uberpriifen, ob der erste Authentifikator U(M), und der zweite Authentifikator 
h(M) 2 ubereinstimmen oder nicht; 

dadurch gekennzeichnet, dass 

der verschlusselte Authentifikator h(C) unter Verwendung des ersten privaten Schlussels, der gegeben ist durch 
zwei Primzahlen = p und p 2 = q, und des ersten offentlichen Schlussels n, der gegeben ist durch das Produkt 
p k q, wobei k = k1 , erhalten wird; 

die Authentifizierungs-VerschliisselungsVerarbeitungseinheit ausgelegt ist, ein Residuum h(K) 0 modulo p und 
ein Residuum h(C) 1 modulo q des verschlusselten Authentifikators h(C) durch ganzzahlige modulare Exponen- 
tenberechnungen von: 



h(K)0: = h(M) d P (mod p) ; 

und 

h(C) q : = h(M) d q (mod q) ; 
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10 



35 



40 



45 



50 



55 



zu erhalten, wobei: 

dp: = d (mod p-1) ; 

und 

dq: = d (mod q-1) ; 



und ausgelegt ist, ein Residuum h(C) pk modulo p k des verschlusselten Authentifikators h(C) durch ein Anwenden 
der Schleifenberechnung auf h(K) 0 zu erhalten und den chinesischen Restsatz auf die Residuen h(C) pk und h 
15 (C) q anzuwenden; und 

die Schleifenberechnung ausgefuhrt wird durch: 

(a) Setzen von h(A) 0 : = h(K) 0 ; 

(b) fur i = 1 bis (k - 1), wiederholtes Berechnen: 

20 

h(F)±: = (h(A)i_i e ) (mod p i+1 ) ; 
25 h(E)±: = (h(M) - h(F)i) (mod p i+i ) ; 

h(B)i: = h(E) i /p i in Z; 

30 

h(K)i: = ((eh(F)i)- 1 h(A)i-i h(B)i) (mod p) ; 
h(A)i: = h(A)i_i + pihWi in Z; 



und 

(c) Setzen von h(C) pk : = h(A) k . v 

13. Computer-verwendbares Medium, das eine computerlesbare Programmcodeeinrichtung darin enthalten aufweist, 
um einen Computer zu veranlassen, als eine Entschlusselungsvorrichtung zum Entschliisseln eines Chiffre-Textes 
C zu arbeiten, der aus einem Klartext M erhalten wird, gemaB: 



C = M e (mod n) 

unter Verwendung eines ersten privaten Schlussels, der gegeben ist durch N > 2 Primzahlen p v p 2 , .... p N , eines 
ersten offentlichen Schlussels n, der gegeben ist durch ein Produktp^ 1 , p 2 k2 , .... p^- wobei k1 , k2, .... ^ beliebige 
positive Ganzzahlen sind, eines zweiten offentlichen Schlussels e und eines zweiten privaten Schlussels d, die 
erfullen: 

ed = 1 (mod L) 

wobei L das kleinste gemeinsam Vielfache von p r 1 , p 2 -1 p N -1 ist, wobei die erste Computer-lesbare Programm- 
codeeinrichtung einschlieRt: 
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eine erste computerlesbare Programmcodeeinrichtungzum Herbeifuhren, dass der Computer Residuen M p1k1 , 
Mp2k2» -» M pNkN modulo p^ 1 , p 2 k2 , p N kN jeweils des Klartextes M unter Verwendung einer Schleifenberech- 
nung bezuglich des ersten privaten Schlilssels p n , p 2 , p N erhalt; und 

einezweite computerlesbare Programmcodeeinrichtungzum Herbeifuhren, dass der Computer den Klartext M 
durch ein Anwenden des chinesischen Restsatzes auf die Residuen M p1k1 , M p2k2 , .... M pNkN wiedergewinnt; 

dadurch gekennzeichnet, dass 

der Chiffre-Text C unter Verwendung des ersten privaten Schlussels, der gegeben ist durch zwei Primzahlen 
p-i = p und p 2 = q und den ersten offentlichen Schlussel n, der gegeben ist durch das Produkt pkq, wobei k = 
k 1f erhalten wird; 

die erste computerlesbare Programmcodeeinrichtung ein Residuum modulo p und ein Residuum M 1 modulo 
q des Klartextes M durch ganzzahlige modulare Exponentenberechnungen von: 



K0 : = C d P (mod p) ; 

und 

M q : = C d q (mod q) ; 

erhalt, wobei: 



dp: = d (mod p-1) ; 

und 

dq: = d (mod q-1) ; 

und ein Residuum M pk modulo p k des Klartextes M durch ein Anwenden der Schleifenberechnungen auf Kq 
erhalt; und 

die zweite computerlesbare Programmcodeeinrichtung den chinesischen Restsatz auf die Residuen M pk und 
M q anwendet; und 

die Schle'rfenberechnung ausgefuhrt wird durch: 

(a) Setzen von A0: = 

(b) fur i = 1 bis (k - 1), wiederholtes Berechnen: 

F i: = (A) i-i e ) (mod pi + l) ; 

E i: = (C - Fi) (mod p i+1 ) ; 
B^: = Ei/pi in Z; 
K i: = ((eFi)' 1 Ai.! Bi) (mod p) ; 

A i : = A i-1 + P* K i ^ n Z ' 
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und 

(c) Setzen von M pk : = A k . v 

14. Computer-verwendbares Medium, das eine computerlesbare Programmcodeeinrichtung darin enthalten aufweist, 
5 um einen Computer zu veranlassen, als eine Authentiflzierungsnachricht-Sendervorrichtung zur Verwendung beim 

Authentifizieren einerAuthentifizierungsnachrichtzu arbeiten, die von einem Sender zu einem Empfanger gesendet 
wird, wobei die computerlesbare Programmcodeeinrichtung einschlieBt: 

eine erste computerlesbare Programmcodeeinrichtung zum Herbeifuhren, dass der Computer auf der Sender- 
10 seite einen ersten privaten Schlussel, der gegeben ist durch N > 2 Primzahlen p 1( p 2 , Pn, einen ersten 

offentlichen Schlussel n, der gegeben ist durch ein Produkt p/ 1 p 2 k2 p N kN , wobei k1, k2, kN beliebige 
positive Ganzzahlen sind, einen zweiten offentlichen Schlussel e und einen zweiten privaten Schliissei d, die 
erfullen: 

15 

ed = 1 (mod L) 

setzt, wobei L das kleinste gemeinsame Vielfache von p.,-1, p 2 -1, P N -1 ist; 
20 eine zweite computerlesbare Programmcodeeinrichtung zum Herbeifuhren, dass der Computer auf der Sen- 

derseite einen Authentifikator h(M) durch ein Zerhacken der Authentifizierungsnachricht M unter Verwendung 
einerZerhackungsfunktion h erhalt; und 

eine dritte computerlesbare Programmcodeeinrichtung zum Herbeifuhren, dass der Computer auf der Sender- 
seite einen verschlusselten Authentifikator h(C) des Authentifikators h(M) gemaB: 

25 

h(M) = h(C) e (mod n) 

30 

durch ein Erhalten von Residuen h(C) p1k1 , h(C) p2k2 , -h(C) pNkN modulo p^ 1 , P2 k2 , p N kN jeweils des ver- 
schlusselten Authentifikators h(C) unter Verwendung einer Schleifenberechnung bezuglich des ersten privaten 
Schlusselsp!, p 2> p N und ein Anwenden deschinesischen Restsatzes auf die Residuen h(C) p1k1 , h(C) p2k2 , 
h(C) pNkN und dann durch ein Senden des verschlusselten Authentifikators h(C) und der Authentifizierungsnach- 
35 richt M zu dem Empfanger erhalt; 

dadurch gekennzeichnet, dass 

der verschlusselte Authentifikator h(C) unter Verwendung des ersten privaten Schlussels, der gegeben ist durch 
to zwei Primzahlen p-, = p und p 2 = q und des ersten offentlichen Schlussels n, der gegeben ist durch das Produkt 

p k q, wobei k = k1 , erhalten wird; 

die dritte lesbare Programmcodeeinrichtung ein Residuum h(K) 0 modulo p und ein Residuum h(C) q modulo q 
des verschlusselten Authentifikators h(C) durch ganzzahlige modulare Exponentenberechnungen von: 

45 

h(K)0: = h(M) d P (mod p) ; 

und 

50 

h(C) q : = h(M) d q (mod q) ; 

erhalt, wobei: 

55 

dp: = d (mod p-1) ; 
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und 

dq: = d (mod q-1) ; 

und ein Residuum hfC^ modulo p k des verschlusselten Authentifikators h(C) durch ein Anwenden der Schlei- 
fenberechnung auf h(K) 0 erhalt und den chinesischen Restsatz auf die Residuen h(C) pk und h(C) q anwendet; und 
die Schieifenberechnung ausgefuhrt wird durch: 

(a) Setzen von h(A) 0 := h(K) 0 ; 

(b) fur i = 1 bis (k - 1); wiederholtes Berechnen: 

h(F)i: = (h(A)i^) (modpi + l); 
h(E) i: = (h(M) - h(F)i) (mod p i+1 ) ; 
h(B) i: = hfEJi/p 1 in Z; 

h(K) i: = ((eh(F)i)- 1 h(A) i ^ 1 h(B)i) (mod p) ; 

h(A)i: = MA)^! + p i h(K) i in Z; 

und 

(c) Setzen von h(C) pk := h(A) k _ v 
Revendications 

1. Procede de dechiffrage pour dechiffrer un texte chiffre C obtenu a partir d'un texte en clair M en conforrnite avec : 

C s M e (mod n) 

en utilisant une premiere cle privee donnee par N > 2 de nombres premiers p-, , p 2 , p N> une premiere cle publique 
n donnee par un produit p/ 1 , p2 y2 t .... p N kN ou k1, k2, .... kN sont des nombres entiers poshifs arbitrages, une 
seconde cle publique e et une seconde cle privee d qui satisfont : 

ed = 1 (mod L) 

ou L est le plus petit commun multiple de p r l, p 2 -1, Pm-1, le procede comprenant les etapes consistant a : 

obtenir des residus M p1k1 , M p2 k2, •«•» M pNkN modulo p/ 1 , p 2 k2 , .... p N kN , respectivement, du texte en clair M en 
utilisant un calcul en boucle par rapport a la premiere cle privee p lt p 2 , .... p N ; et 

reconstituer le texte en clair M en appliquant le theoreme du reste chinois aux residus M p1k1> M p2k2 , M pNkN ; 
CARACTER1SE EN CE QUE 
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le texte chiffre C est obtenu en utilisant la premiere cle privee procure e par ies deux nombres premiers p 1 = p 
et p 2 = q et la premiere cle publique n procuree par le produit p k q ou k = k1 ; 

I'etape cfobtention obtient un residu Ko modulo p et un r6sidu M q modulo q du texte en clair M par le calcul 
cfexposant modulaire entier de : 

K 0 := C dp (mod p) ; 

et 

Mq := C dq (mod q) 

ou : 

dp := d (mod p-1) ; 

et 

dq = d (mod q-1) 

et obtient un residu M pk modulo p k du texte en clair M en appliquant le calcul en boucle a Ko ; et 
Ies etapes de reconstitution appliquent le theoreme de reste chinois aux residus M pk et M q ; et 
le calcul en boucle est effectue par : 

(a) 6tablirAo:=Ko; 

(b) pour i = 1 a (k-1), calculer de maniere repetee : 

Fi := (Ai-! e ) (mod p i+1 ) ; 
Ei := (C - Fi) (mod p i+1 ) ; 
Bi := Ei/p 1 dans Z ; 
Ki := ((eFi)' 1 Ai^ Bi) (mod p) ; 
Ai := Aw + p 1 Ki dans Z ; 

et 

(c) etablirM pk := A^. 

Procede selon la revendication 1 , dans lequel I'etape de reconstitution reconstitue le texte en clair M en calculant : 

qi := q" 1 (mod p k ) ; 
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Vi := ( (M pk - Mq)qi) (mod p k ) ; 

et 

M := <M q + qv : ) . 

Procede selon la revendication 1 , dans lequel I'etape de reconstitution reconstitue le texte en clair M en calculant : 

Pi := (pV 1 (mod q) ; 
Vi := ( (Mq - M pk ) Pl ) (mod q) ; 

et 

M := (M pk + p k Vl ) . 
Procede selon la revendication 1 , dans lequel I'etape de reconstitution reconstitue le texte en clair M en calculant : 

Pi := (p k ) _1 (mod q) ; 
q x := q" 1 (mod p k ) ; 

et 

M := (qi qM pk + pi p k M q ) (mod p k q) . 

Procede d'authentification pour authentifter un message d'authentification envoye d'un emetteur a un recepteur, 
comprenant les etapes consistant a : 

(a) etablir au niveau du cote emetteur une premiere cle privee procuree par N > 2 nombres premiers p lf p 2 , ... , 
p Nt une premiere cle publique procuree par le produit p/ 1 p 2 k2 ... ou k1, k2, ... kN sont des nombres 
entiers positifs arbitraires, une seconde cle publique e et une seconde cle privee d qui satisfont : 



ed = 1 (mod L) 



ou L est le plus petit commun multiple de p r 1 , p 2 -t , .... P N -t ; 

(b) obtenir au niveau du cote emetteur un authentificateur h(M) en hachant le message d'authentification M en 
utilisant une fonction de hachage h ; 

(c) obtenir au niveau du cote emetteur un authentificateurchiffre h(C) de rauthentificateur h(M) en conformite 
avec : 
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h(M) a h(C) e (mod n) 

en obtenant les residus h(C) p1k1 , h(C) p2k2 , ... , h(C) pNkN module p/ 1 , p^, p N kN ,respectivement de I'authen- 
tificateur chiffre h(C) en utilisant un calcul en boucle par rapport a la premiere cl6 privee p lf p 2 , p N> et appliquer 
le theoreme de reste chinois aux residus h(C) p1k1 , h(C) p2k2 , .... h(C) pNkN ; 

(d) emettre I'authentificateur chiffre h(C) et le message d'authentification M de I'emetteurau recepteur ; 

(e) obtenir au niveau du cdte recepteur, un premier authentificateur hfM^ en calculant h(C) e (mod n) depuis 
I'authentificateur chiffre h(C) recu de I'emetteur en utilisant la seconde cle publique e ; 

(f) obtenir au niveau du cote recepteur un second authentificateur h{M) 2 en hachant le message d'authentification 
M recu de I'emetteur en utilisant lafonction de hachage h ; et 

(g) juger de I'authenticite du message d'authentification M au niveau du cote recepteur en verifiant si le premier 
authentificateur h^ et le second authentificateur h(M) 2 coincident ou non ; 

CARACTERISE EN CE QUE 

I'authentificateur chiffr6 h(C) est obtenu en utilisant la premiere cle privee procuree par les deux nombres 
premiers p., = p et p 2 = q et la premiere cle publique n procuree par le produit p k q ou k = k1 ; 
I'etape (c) obtient un residu h(K) 0 modulo p et un residu h(C) q modulo q de I'authentificateur chiffre h(C) par 
des calculs d'exposant modulaire d'entier de : 



h(K) 0 := h(M) dp (mod p) ; 

et 

h(C) q := h(M) dq (mod q) ; 

ou : 

dp := d (mod p-1) ; 

et 

dq : = d (mod q~l) ; 

et obtient un residu h(C) pk modulo p k de I'authentificateur chiffre h(C) en appliquant le calcul en boucle a h(K) 0 , 
et applique le theoreme de reste chinois aux residus h(c) pk et h(C) p ; et 
le calcul en boucle est effectue par : 

(a) etablir h(A) 0 := h (K) 0 ; 

(b) pour i - 1 a (k-1), calculer de maniere repetee : 

h(F)i := (h(Ai-! e ) (mod p i+1 ) ; 



h(E)i := (h(M) - h(F)i) (mod p i+1 ) ; 



h(B)i := h(E) i /p i dans Z ; 
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h(K)i := ((eh(F)i)- 1 h (A) w h(B)i) (mod.p) ;. 
h(A)i := h{A)i-! + p 1 h(K)i dans Z ; 

et 

(c) etablirh(C) pk : = h(A) k _ v 
Procede selon la revendication 5, dans lequel I'etape (c) applique le theoreme de reste chinois en calculant : 

qi q" 1 (mod p k ) ; 

vi := (<h(C) pk - h(C) q ) qi) (mod p k ) ; 

et 

h(C) := (h(C)q + qvi) . 
Procede selon la revendication 5, dans lequel I'etape (c) applique le theoreme de reste chinois en calculant : 

Pi := (p k ) _1 (mod q) ; 

vi := ((h(C) q - h(C)p k ) pi) (mod q) ; 

et 

h(C) := (h(C) pk + p k v x ) . 
Procede selon la revendication 5, dans lequel I'etape (c) applique le theoreme de reste chinois en calculant : 

Pi := (pV 1 (mod q) ; 
q 2 := q" 1 (mod p k ) ; 

et 

h(C) := (q x qh(C) pk + p x p k h(C)q) (mod p k q) . 
Appareil de dechiffrage pour dechiffrer un texte chiffre C obtenu a partir d'un texte ordinaire M en conformite avec : 

C = M e (mod n) 

en utilisant une premiere cle privee procuree par N>2 nombres premiers p v p 2 , p N , une premiere cle publique 
n procuree par un produit p^ 1 p 2 k2 ... p N kN ou k1, k2, kN sont des nombres entiers positifs arbitraires, une 
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seconde cle publique e et une seconde cle privee d qui satisfont : 



ed = 1 (mod L) 

ou L est le plus petit commun multiple de p r 1, p 2 -1 p N -1, 1'appareil comprenant : 

une unite de traitement de calcul pour obtenir des rSsidus M p1k1 , M p2k2 , ... M pNkN modulo p/ 1 , p 2 k2 , p N kN 
respectivement du texte en clair M en utilisant un calcul en boucle par rapport a la premiere cle privee p 1t p 2 , 
PN: et 

une unite de traitement de dechiffrage pour reconstituer le texte en clair M en appliquant le theoreme de reste 
chinois aux residus M p1k1> M p2k2 , ... M pNkN ; 

CARACTERISE EN CE QUE 

le texte chiffre C est obtenu en utilisant la premiere cle privee procuree par les deux nombres premiers p 1 = p 
et p2 = q et la premiere c!6 publique n procuree par le produit p k q ou k = k1 ; 

I'unite de traitement de calcul est adaptee pour obtenir un residu Kq modulo p et un residu M q modulo q du 
texte en clair M, par des calculs d'exposant modulaire d'entier de : 

K 0 := C dp (mod p) ; 

et 

M q := C dq (mod q) ; 

ou 

dp ":= d (mod p-1) ; 

et 

dq = d (mod q-1) ; 

et est adaptee pour obtenir un residu M pk modulo p k du texte en clair M en appliquant le calcul en boucle a K 0 ; et 
I'unite de traitement de dechiffrage de reconstitute n est adaptee pour appliquer le theoreme de reste chinois 
aux residus M pk et M q ; et 
!e calcul en boucle est effectue par : 

(a) etablir Aq := Kq ; 

(b) pour i = 1 a (k-1 ), calculer de maniere repetee : 

Fi := (Ai-! e ) (mod p i+1 ) ; . 
Ei := (C - Fi) (mod p i+1 ) ; 
Bi := Ei/p 1 dans Z ; 
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Ki := ( (eFi)- 1 ) A H B L ) (mod p) ; 



Ai : = 



Ai_! + p 1 Ki dans Z ; 



et 

(c) etablir M pk : = 



10. Systeme de communication chiffre, comprenant : 



un appareil emetteur ayant : 



une unite de traitement de generation de ctes de chiffrage/dechiffrage pour etablir N > 2 nombres premiers 
p1 , p2, p N comme premiere cle privee, et un produit p/ 1 pj* 2 ••••» PN kN comme premiere cle publique 
n, ou ki. , k2, .... kN sont des nombres entiers positifs arbitrages, et determiner une seconde cle publique 
e et une seconde cl§ privee d qui satisfont : 



ou L est le plus petit commun multiple de p r 1, p 2 -1, .... p N -1 . en utilisant la premiere cle privee ; et 

une unite de traitement de chiff rage pour obtenir un texte chiffre C a partir d'un texte en clair M en conformity 

avec : 



en utilisant la premiere cle publique n et la seconde cle publique e ; et 

un appareil r£cepteur ayant : 

une unite de traitement de calcul pour obtenir des residus M p1k1 , M p2k2 , ... M pNkN module p., k1 , p k2 , p N KN 
respectivement, du texte en clair M en utilisant un calcul en boucle par rapport a la premiere cle privee p lf 
p 2 ,...,p N ;et 

une unite de traitement de dechiffrage pour reconstituer le texte en clair M en appliquant le theoreme de 
reste chinois aux residus M p1k1 , M p2k2 , ... M pNkN ; 

CARACTERISE EN CE QUE 

le texte chiffre C est obtenu en utilisant la premiere cle privee procuree par les deux nombres premiers p., = p 
et p2 = q et la premiere cle publique n procuree par le produit p k q ou k = k1 ; 

I'unite de traitement de calcul est adaptee pour obtenir un residu Kq modulo p et un residu M q modulo q du 
texte ordinaire M, par des calculs d'exposant modulaire entier de : 



ed s 1 



(mod 



L) 



C = M e (mod n) 



K 0 := C dp (mod p) ; 



et 



M q := C dq (mod q) / 



ou 
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dp := d (mod p-1) ; 



dq = d (mod q-1) ; 

et est adaptee pour obtenir un residu M pk modulo p k du texte en clair M en appliquant le calcul en boucle a Kq ; et 
I'unite de traitement de dechiffrage est adaptee pour appliquer le theoreme de reste chinois aux residus M pk et 
M q ; et 

le calcut en boucle est effectue par : 
(aJetablir/VKo; 

(b) pour i = 1 a (k-1), calculer de maniere repetee : 



Fi := (A w e ) (mod p 1+1 ) ; 



Ei := (C - Fi) (mod p i+1 ) ; 



Bi := Ei/p 1 dans Z ; 
Ki := ( (eFiT 1 A w Bi) (mod p) ; 
Ai := Ai_! + p 1 Ki dans Z ; 
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et 

(c) etablirM pk := \. v 

11. Appareil emetteur de message d'authentification pour utilisation dans rauthentification d'un message d'authentifi- 
cation emis depuis un emetteur vers un recepteur, I'appareil comprenant : 

une unite de traitement de generation de cles de chiffrage/dechiffrage pour etablir au niveau du cote emetteur 
40 une premiere cle privee procuree par N > 2 nombres premiers p1, p2, p N , une premiere cle publique n 

procuree par un produit p/ 1 p 2 k2 ... p N kN ou k1, k2, kN sont des nombres entiers positifs arbitraires, une 
seconde cle publique e et une seconde cle privee d qui satisfont : 

45 ed s 1 (mod L) 

ou L est le plus petit commun multiple de p 1 -1 , p 2 -1, P N -1 ; 

une unite de traitement de hachage de message d'authentification pour obtenir au niveau du cote emetteur un 
50 authentificateur h(M) en hachant le message d'authentification M en utilisant une fonction de hachage h ; et 

une unite de traitement de chiffrage d'authentificateur pour obtenir au niveau du cote emetteur un authentificateur 
chiffre h(C) de I'authentificateur h(M) en conformite avec : 



55 .h(M) = h(C) e (mod n) 
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en obtenant les residus h(C) p1k1 , h(C) p2k2 , ... h(C) pNkN modulo p^ 1 , p 2 k2 , ... respectivement, de I'authen- 
tificateur chiffre h(C) en utilisant un calcul en boucle par rapport a la premiere cle privee p 1( p 2 P N et en 

appliquant le th6oreme de reste chinois aux residus h(C) p1k1 , h(C) p2k2 , h(C) PNkN et en 6mettant ensuite 
I'authentificateur chiffre h(C) et le message d'authentification M vers le recepteur ; 

CARACTERISE EN CE QUE 

Pauthentificateur chiffre h(C) est obtenu en utilisant la premiere cle privee procuree par les deux nombres 
premiers = p et p2 = q et la premiere cle" publique n procure par le produit p*q ou k = k1 ; 
T unite de traitement de chiffrage d'authentification est adaptee pour obtenir un residu h(K) 0 modulo p et un 
residu h(C) q modulo q de I'authentificateur chiffre h(C), par des calculs d'exposant modulaire d'entier de : 

h(K) 0 := h(M) dp (mod p) ; 

et 



h(C) q := h(M) dq (mod q) ; 

ou 



dp := d (mod p-1) ; 

et 



dq = d (mod q-1) ; 

et est adaptee pour obtenir un residu h(C) pk modulo p k de I'authentificateur chiffre h(C) en appliquant le calcul 
en boucle a h(K) 0> et est adaptee pour appliquer le theoreme de reste chinois aux residus h(C) pk et h(C) q ; et 
le calcul en boucle est effectue par : 

(a) etablir h(A) 0 := h (K) 0 ; 

(b) pour i = 1 a (k-1), calcule de maniere repetee : 

h{F)i := (h(A)i-! e ) (mod p i+1 ) ; 
h(E)i. := (h(M) - h(F)i) (mod p i+1 ) ; 
h(B)i := h(E) i /p i dans Z ; 
h(K)i := ((eh(F)i) -1 h(A)i-! h(B)i) (mod p) ; 
h(A)i := h(A)i^ + p i h(K)t dans Z ; 

et 

(c) etablir h(C) pk :=h(A) M . 

12. Systeme d'authentification pour authentifier un message d'authentification emis depuis un emetteur vers un recep- 
teur, le systeme comprenant : 
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un appareil emetteur ayant : 

une unite de traitement de generation de cle de chiffrage/dechiffrage pouretablir au niveau ducote emetteur 
une premiere cle priv6e procuree par N > 2 nombres premiers p 1t p 2 , ... , Pn ; une premiere cle publique n 
procuree par un produit p/ 1 , p 2 k2 , .... P N kN ° u k1, k2, kN sont des nombres entiers positrfs arbitrages, 
une seconde cle publique e et une seconde cle privee d qui satisfont : 

ed = 1 (mod L) 
ou L est le multiplicateur le moins commun de p r 1, p 2 -1, p N -1 ; 

une unite de traitement de hachage de message d'authentification pour obtenir au niveau du cote emetteur 
un authentificateur (M) en hachantle message d'authentification M en utilisant une fonction de hachage h ; et 
une unite de traitement de chiffrage d'authentificateur pour obtenir au niveau du cote emetteur un authen- 
tificateur chiffre h(C) de I'authentificateur h(M) en conformite avec : 



h(M) = h(C) e (mod n) 

en obtenant les residus h(C) p1k1 , h(C) p2k2 , h (C) pNkN modulo p^ 1 , p 2 ^ t p N kN , respectivement de 
I'authentificateur chiffre h(C) en utilisant un calcul en boucle par rapport a la premiere cle privee p n> p 2 , 
p N et en appliquant le theoreme de reste chinois aux residus h (C) p 1k1 , h (C) p 2k2 , h(C) pNkN et en 
emettant ensuite I'authentificateur chiffre h(C) et le message d'authentification M vers le recepteur ; et 

un appareil recepteur ayant : 

une unite de traitement de dechiffrage d'authentificateur pour obtenir un premier authentificateur h(M)-j par 
le calcul de h(C) e (mod n) depuis I'authentificateur chiffre h(C) recu de I'emetteur en utilisant la seconde 
cle publique e ; 

une unite de traitement de hachage de message d'authentification pour obtenir un second authentificateur 
h(M) 2 en hachant le message d'authentification M regu de I'emetteur en utilisant la fonction de hachage h ; et 
une unite de traitement de verification d'authenticite pour juger de I'authenticite du message d'authentifi- 
cation M en verifiant si le premier authentificateur 11(1^ et le second authentificateur h(M) 2 coincident ou 
non ; 

CARACTERISE EN CE QUE 

I'authentificateur chiffre h(C) est obtenu en utilisant la premiere cle privee procuree par les deux nombres 
premiers = p et p 2 = q et la premiere cle publique n procuree par le produit p k q ou k = k1 ; 
I'unite de traitement de chiffrage d'authentification est adaptee pour obtenir un residu h(K) 0 modulo p et un 
residu h(k) 0 modulo q de I'authentificateur chiffre h(C) par les calculs d'exposant modulaire d'entier de : 

h(K) 0 := h(M) dp (mod p) ; 



h(C)q := h(M) aq (mod q) ; 



dp := d (mod p-1) ; 
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dq := d (mod q-l) ; 

et est adapte pour obtenir un residu h(C) pk modulo p k de I'authentificateur chiffre h(C) en appliquant le calcul 
en boucle a h(K) 0 , et est adapte pour appliquer le theoreme de reste chinois aux residus h(C) pk et h(C) q ; et 
le calcul en boucle est effectue par : 

(a) etablir h (C) 0 := h(K) 0 ; 

(b) pour i = 1 a (k-1), calcule de maniere repetee : 



h(F)i := (h(A)i.! e ) (mod p i+1 ) ; 
is h(E)i := (h(M) - h(F)i) mod p i+1 ) ; 

h(B)i := h(E) i /p i dans Z ; 



h(K)i := ((eh(F)i)" 1 h(A) iM h(B)i) (mod p) ; 



h(A)i := h(A)i.! + p 1 h(K)i dans Z ; 

et 

(c) etablir h(C) pk := h(A) k . v 

13. Support utilisable pour ordinateur ayant un moyen de code programme lisible par ordinateur incorpore dans celui- 
ci pour amener un ordinateur a fonctionner comme appareil de dechiffrage pour dechiffrer un texte chiffre C obtenu 
a partir d'un texte en clair M en conformite avec : 

35 C s M e (mod n) 

en utilisant une premiere cle privee procuree par N > 2 nombres premiers p 1s p 2 p N , une premiere cle publique 

n procuree par un produit p/ 1 , p 2 k2 , .... p N kN ou k1, k2, kN sont des nombres entiers pos'rtifs arbitraires, une 
seconde cle publique e et une seconde cle privee d qui satisfont : 



ed = 1 (mod L) 

ou L est le plus petit commun multiple de p r 1 , p 2 -1 , p N -1 , le moyen de code programme lisible par ordinateur 
inclut : 



un premier moyen de code programme lisible par ordinateur pour amener ledit ordinateur a obtenir les residus 
M Piki, M P2k2' M pNkN modulo p/ 1 , p 2 k2 , .... p N kN , respectivement, du texte en clair M en utilisant un calcul 
50 en boucle par rapport a la premiere cle privee p 1t p 2 , ... , p N ; et 

un second moyen de code programme lisible par ordinateur pour amener ledit ordinateur a reconstituer le texte 
en clair M en appliquant le programme de reste chinois aux residus Mp 1kl , Mp 2k2 , .... Mp NkN ; 



CARACTERISE EN CE QUE 

le texte chiffre C est obtenu en utilisant la premiere cle privee procuree par deux nombres premiers p n = p et 
p 2 = q et la premiere cle publique n procuree par le produit p k q ou k = k1 ; 

le premier moyen de code programme lisible par ordinateur obtient un residu Kq modulo p et un residu M q 
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modulo q du texte en clair M, par les calculs (fexposant modulaire d'entier de : 

k 0 := C dp (mod p) ; 

et 

Mq •:= C dq (mod q) ; 

ou 

dp := d (mod p-1) 

et 

dq := d (mod q-1) ; 

et obtient un residu M pk modulo p k du texte ordinaire M en appliquant le calcul en boucle ko ; et 

le second moyen de code programme lisible par ordinateur applique le theoreme de reste chinois aux residus 

Mp k et M q ; et 

le calcul en boucle est effectue par : 

(a) etablir Aq : ko ; 

(b) pour i = 1 a (k-1), calcule de maniere repetee : 

Fi := (Ai-x 6 ) (mod p i+1 ) ; 
Ei := (C - Fi) (mod p i+1 ) ; 
Bi := Ei/p 1 dans Z ; 
Ki := ( (eFi)" 1 Aw Bi) (mod p) ; 
Ai := Ai-i + p L ki dans Z ; 

et 

(c) etablir M pk := 

14. Support utilisable par ordinateur ayant un moyen de code programme lisible par ordinateur incorpore dans celui-ci 
pour amener un ordinateur a fonctionner comme appareil emetteur de message d'authentification pour utilisation 
dans I'authentification d'un message d'authentification emis depuis un emetteur vers un recepteur, le moyen de 
code programme lisible par ordinateur inclut : 

un premier moyen de code programme lisible par ordinateur pour amener ledit ordinateur a etablir au niveau 
du cote emetteur une premiere cle privee procuree par N > 2 nombres premiers p 1t p 2 , .... p N , une premiere 
cle publique n procuree par un produit p/ 1 , p 2 k2 , .... p N kN , ou k1 , k2, kN sont des nombres entiers positifs 
arbitraires, une seconde cle publique e et une seconde cle privee e qui satisfont : 



56 



EP0 946 018 B1 



ed s 1 (mod L) 
ou L est le plus petit commun multiple de p r 1 , p 2 -l p N -l ; 

un second moyen de code programme lisible par ordinateur pour amener ledit ordinateur k obtenir au niveau 
du cote emetteur un authentificateur h(M) en hachant le message d'authentification M en utilisant une fonction 
de hachage h, et 

un troisieme moyen de code programme lisible par ordinateur pour amener ledit ordinateur a obtenir au niveau 
du cote emetteur un authentificateur chiffre h(C) de I'authentificateur h(M) en conformite avec : 

h(M) = h(C)e (mode n) 

en obtenantles residus h(C) p1k1 , h(C) p2k2 , .... h(C) pNkN modulo p^ 1 , p 2 ^, p N kN . respectivement, de I'authen- 
tificateur chiffre h(C) en utilisant un calcul en boucle par rapport a la premiere cle privee p 1f p 2> p N , et en 
appliquant le theoreme de reste chinois aux residus h (C) p1k1 , h(C) p2k2 ..... h(C) pNkN , et en emettant ensuite 
I'authentificateur chiffre h(C) et le message d'authentification M vers le recepteur : 

CARACTERISE EN CE QUE 

I'authentificateur chiffre) h(C) est obtenu en utilisant la premiere cle privee procuree par les deux nombres 
premiers p 1 = p et p 2 = q et la premiere cle publique n procuree par le produit p k q ou k = k1 ; 
le troisieme moyen de code programme lisible par ordinateur obtient un residu h(k) 0 modulo p et un residu h 
(C) q modulo q de I'authentificateur chiffr6 h(C) par des calculs d'exposant modulaire de nombre d'entier de : 

h(K) 0 := h(M) dp (mod p) ; 

et 



h(C) q := h(M) dq (mod q) ; 

ou : 



dp := d (mod p-1) ; 

et 

dq := d (mod q-1) ; 

et obtient un residu h(C) pk modulo p k de I'authentificateur chiffre h(C) en appliquant le calcul en boucle a h(k) 0 , 
et applique le theoreme de reste chinois aux residus h(C) pk et h(C) q ; et 
le calcul en boucle est effectue par : 

(a) etablirh(A) 0 =h(K) 0 ; 

(b) pour i=1 a (k-1) est calcule de maniere repetee 

h(F)i := (htAJi-! 6 ) (mod p i+1 ) ; 
h(E)i := (h(M) - h(F)i) (mod p i+1 ) ; 
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h(B)i := h(E) L /p i dans Z ; 
h(K)i := ((eh(F)ir 1 h(A)i-i h(B)i) (mod p) ; 
h(A)i := h(A)i-! -f p A h(K)i dans Z ; 



et 

(c) etablirh(C) pk :=h(A) k . r 
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FIG. 2 



c 



ENCRYPTION 



. GENERATE 
ENCRYPTION /DECRYPTION KEYS 
n = pkq 

L= lcm(p-l,q-l) 
ed = 1 (mod L) 
dp: = d(mod p-1) 
dq: = d(mod q-1) 



, — . — J 


f 


OBTAIN CEP 
C=M e 


HERTEXT C 
(mod n) 



c 



END 
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C 



DECRYPTION 



I 



J 



CALCULATE 

dp: = d (mod p-1) 
dq : = d (mod q-1) 



OBTAIN 

K 0 : = C dp (mod p) 
Mq: = C dq (mod q) 



A 0 : = 
FOR 
begin 
F 

E 
B 

K 

Ai 
end 
Mpk 



LOOP CALCULATION 
i=l to (k-1) do 

(A M e ) (mod p^ 1 ) ; 
■■ (C -Fi) (mod p i+1 ); 
= Ej/pi in Z; 
= ((eFi)- 1 Ai.iB i )(mod p) ; 
= Aj.i+ p»Kj in Z; 



= An 



OBTAIN PLAINTEXT M BY APPLYING 
CHINESE REMAINDER THEOREM 
TO Mpk & M q 



c 



END 
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FIG. 5 
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AUTHENTICATION 



I 



3 



GENERATE 
ENCRYPTION /DECRYPTION KEYS 

« 

n = pkq 

L = lcm(p-l,q-l) 
ed s l (mod L) 



OBTAIN AUTHENTICATOR h(M) 
BY HASHING AUTHENTICATION 
MESSAGE M 



I 



CALCULATE ENCRYPTED 
AUTHENTICATOR h(C) 



OBTAIN 1ST AUTHENTICATOR 
h(M)! 3 h(C) e (mod n) 



OBTAIN 2ND AUTHENTICATOR 

h(M)2 BY HASHING 
AUTHENTICATION MESSAGE M 



VERIFY AUTHENTICITY BY 
MATCHING h(M)! & h(M) 2 



> 



J 



SENDER 
SIDE 



V. RECEIVER 
f SIDE 
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